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Notification 


This report is provided "as is" for informational purposes only. The Department of Homeland Seourity (DHS) does not provide any warranties 
of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this 
bulietin or otherwise. 

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no 
foreseeable risk of misuse, in accordance with applicable ruies and procedures for public reiease. Subject to standard copyright ruies, 
TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov 


Summary 


Description 

Three files were submitted to US-CERT for analysis. All fiies are confirmed as components of a ransomware campaign identified as 
"WannaCry", a.k.a "WannaCrypt" or ".wnCry". The first file is a dropper, which contains and runs the ransomware, propagating via the 
MSI7-010/EternalBlue SMBvI.O exploit. The remaining two files are ransomware components containing encrypted plug-ins responsible for 
encrypting the victim's files. Dispiayed below is a YARA signature that can be used to detect the ransomware: 


ru le Wa n n a_C ry_Ranso m wa re_G e neric{ 
meta: 

description = "Detects WannaCryRansomware on Disk and in Virtual Page" 
author = "US-CERT Code Analysis Team" 
reference = "not set" 
date = "2017/05/12" 

hashO = "4DA1F312A214C07143ABEEAFB695D904" 
strings: 

$s0 = {410044004D0049004E0024} 

$s1 = "Wanna Decry ptor" 

$s2 = "WANNACRY" 

$s3 = "Microsoft Enhanced RSA and AES Cryptographic" 

$s4 = "PKS" 

$s5 = "StartTask" 

$s6 = "wcry@123" 

$s7 = {2F6600002F72} 

$s8 = "unzip 0.15 Copyrigh" 

$s9 = "Giobal\\WINDOWS_TASKOSHT_MUTEX" 

$s10 = "Global\\WINDOWS_TASKCST_MUTEX" 

$s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163} 

$s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68} 

$s13 = "WNcry@2oi7" 

$s14 = "wcry@123" 

$s15 = "GlobalWMsWinZonesCacheCounterMutexA" 
condition: 

$s0 and $s1 and $s2 and $$3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15 


Files 

Processed 


39 

0252d45ca21c8e43c9742285c48e91ad (m_chinese (simpiified).wnry) 
025ac29fc5b5257oa0a031de71f201 bf (s.wnry) 
08b9e69b57e4c9b966664f8e1 c27ab09 (mjilipino.wnry) 

17194003fa70oe477326ce2f6deeb270 (m_oroatian.wnry) 
2c5a3b81d5c4715b7bea01033367fcb5 (m_danish.wnry) 
2efc3690d67cd073a9406a25005f7cea (m_ohinese (traditionai),wnry) 
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30a200f78498990095b36f574b6e8690 (mjtalian.wnry) 

313e0ececd24f4fa150411 Sailbc7986 (m_romanian.wnry) 

35c2f97eea8819b1 caebd23fee732d8f (m_finnish,wnry) 

3788191 c694dfc48e12417ce93356b0f (m indonesian.wnry) 

3d59bbb5553fe03a89f817819540f469 (m_german.wnry) 

3e0020fc529b1 c2a061016dd2469ba96 (r.wnry) 

452615db2336d60af7e20574S1 e4cab5 (m_russian.wnry) 

4da1 f312a214c07143abeeafb695d904 (4da1 f312a214c07143abeeafb695d904) 

4e57113a6bf6b88fdd32782a4a381274 (mjrench.wnry) 

4fef5e34143e646dbf9907c4374276f5 (taskdi.exe) 

531 ba6b1a5460fc9446946f91cc8c94b (mjurkish.wnry) 

537efeecdfa94cc421e58fd82a58ba9e (m czech.wnry) 

5bef35496fcbdbe841c82f4d1 abSb7c2 (5bef35496fcbdbeS41 c82f4d1 abSb7c2) 

5dcaac857e695a65f5c3ef1441 a73a8f (t.wnry) 

6735cb43fe44832b061eeb3f5956b099 (m_korean.wnry) 

7a8d499407c6a647G03c4471 a67eaad7 (m_dutch.wnry} 

7bf2b57f2a20576S755c07f238fb32cc (u .wn ry) 

8419be28a0dcec3f55823620922b00fa (m Vietnamese .wnry) 

84954001199ac77S53c53b5a3f278f3e (taskse.exe) 

86721 e64ffbd69aa6944b9672bcabb6d (tasksche.exe) 

8d6164Sd34cba8ae9d1e2a219019add1 (m spanfeh.wnry) 

95673b0f968c0f55b32204361940d184 (m_buigarian,wnry) 
ae0Sf79a0d80Ob82fcbe1 b43cdbdbefc (c.wnry) 
b77e1221f7ecd0b5d696cb66cda1609e (mJapanese.wnry) 
cl 7170262312f3be7027bc2ca825bf0c (b.wnry) 
c33afb4ecc04ee1 bcc6975bea49abe40 (mJatvian.wnry) 
c7a19984eb9f37198652eaf2fd1 ee25c (m_swedish.wnry) 
c911 aba4ab1 da6c28cf86338ab2ab6cc (m_slovak.wnry) 
e79d7f2833a9c2e2553c7fe04a1 b63f4 (m_poiish.wnry) 
fa948f7d8dfb21 ceddd6794f2d56b44f (m_portuguese,wnry) 
fb4e8718fea95bb7479727fde80cb424 (m g reek, wnry) 
fe68c2dc0d2419b38f44d83f2fcf232e (m_^english,wnry) 
ff70cc7c00951084175d 12128ce02399 (m_norwegiar .wn ry) 

Domains 


Identified 

6 

i yq e rf sodp9 ifj aposdfj h gos u ri jf aew rwe rg wea. co m 
gx7ekbenv2riucmf.onion 

57g7spgrziojinas.onion 

X X1 vb r 1 0 X vriy 2c5 .onion 

7 6j dd2 i r2em by v47 .onion 
cwwn h wh 1 z52 maq m 7 .o n io n 
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Files 


5bef35496fcbdbe84l c82f4dl ab8b7c2 

Details 

Name 5bef35496fcbdbe841 c82f4d1 ab8b7c2 
Size 3723264 

Type PE32 executable (GUI) Intel 80386, for MS Windows 
MD5 5bef35496fcbdbe841 G82f4d 1 ab8b7c2 
SH A1 50049556b3406e07347411767d6d01a704b6fee6 
ssdeep 98304:wDqPoBhz1 aRxcSU Dk36SAEdhvxWa9 P593R8yAVp2g3 R :wDq Pu 1 Cxcxk3ZAEUadzR8yc4gB 
Entropy 7.9642512073 


Antivirus 


MicroWorld-eScan 

Troian.GenericKD,5055387 

nProtect 

CAT-QuickHeal 

ALYac 

Malwarebytes 

AegisLab 

K7GW 

Ransom/W32.Wanna,3723264 

Ransom.WannaCryBot 

Trojan.Ransom. Wan naCryptor 

Ransom.WanaCryptOr 

Ml. Attribute. Genic 

Exploit ( 0050d7a31 ) 

K7AntiVirus 

Exploit ( 0050d7a31 ) 

Arcabit 

Trojan.Generic. D4D239B 

Invincea 

virtool.wjn32.injector, eg 

Baidu 

Win32. Worm. Rbota 

Cyren 

Symantec 

Paloalto 

W32A^rojan.AHAZ-1193 

Ransom.Wannacry 

generic, ml 

ClamAV 

Win.Trojan. Agent-6313878-0 

GData 

Win32Trojan-Ransom. WannaC ry. D 

Kaspersky 

BitDefender 

Trojan-Ransom.Win32.Wanna.m 

T rojan .GenencKD.5055387 

NANO-Antivirus 

Trojan .Win32. Wanna.eorfmq 

Avast 

Win32:WanaCry-A [Trj] 

Rising 

Ad-Aware 

Ransom.FileCryptorl8.1A7 (cloud:pN1yUsg5xNU) 

Trojan.GenericKD.5055387 

Emsisoft 

Trojan-Ransom. WanaCryptOr (A) 

Comodo 

T rojWare. Win32. Ransom, WannaCryptor.a 

F-Secure 

Troian.GenericKD,5055387 

DrWeb 

Trojan.Encoder.11432 

VIPRE 

Trojan.W]n32.Gener]G!BT 

Trend Micro 

WORM__WCRY.A 

Me Af ee-G W- Edition 

Ransom-WannaCry!86721 E64FFBD 

Sophos 

ikarus 

TrojAA/anna-E 

Trojan.Win32.Filecoder 

F-Prot 

W32/Wa n naC ry pt. D 

Jiang min 

Web root 

Trojan.WanaCry.i 

W32. Ran som. Wan n ac ry 

Avira 

BDS/Agent.ilyda 

Endgame 

ViRobot 

malicious (high confidenoe) 

Trojan.Win32.S.WannaCry.3723264.l[h] 

Zone Alarm 

Trojan-Ransom.Win32.Wanna.m 


US-CERT MlFR-10124171 


3 of 41 









Microsoft 

R a nso m: Wi n 32/Wa n naC ry pt. A! rs m 

AhnLab-V3 

McAfee 

AVware 

VBA32 

Trojan/W]n32.WannaCryptorR200572 

GenericR-JTA!5BEF35496FCB 

Trojan.W]n32.GenenctBT 
suspected of Trojan.Downloader.gen.h 

ESET-NOD32 

Win32/ExploitCVE-2017-0147.A 

Tencent 

Wi n3 2. Troja n. Ranso mware .Auto 

SentinelOne 

static engine - malicious 

Fortinet 

W32/WannaCryptor.D!tr 

AVG 

Ransonn_r.CGA 

Panda 

Trj/RansomCryptJ 

CrowdStrike 

malicious_conf]denGe_100% (W) 

Qihoo‘360 

M icro Wo rl d-eSca n 

nProtect 

CAI^QuickHeal 

ALYac 

Win32/Trojan,Ransom.50f 

Trojan.GenericKD.5055387 

Ransom/W32.Wanna.3723264 

Ransom.WannaCryBot 

T rojan .Ransom. Wan naCryptor 

Malwarebytes 

AegisLab 

K7GW 

Ransom .WanaCryptOr 

Mi. Attribute. Genic 

Exploit (0050d7a31 ) 

KZAntiVirus 

Exploit {0050d7a31 ) 

Arcabit 

Trojan.Generic. D4D239B 

Invincea 

v]rtool,w]n32Jnjector.eg 

Baidu 

Win32, Worm. Rbot,a 

Cyren 

Symantec 

Paloalto 

ClamAV 

GData 

Kaspersky 

BitDefender 

W32A^rojan.AHAZ-1193 

R a n so m. Wa n nacry 
generic, ml 

Win.Trojan. Agent-6313878-0 
Win32Trojan-Ransom. WannaC ry. D 

T rojan-Ransom. Win32. Wan na. m 

T rojan .GenericKD.5055387 

NANO’Antivirus 

T rojan .Win32.Wanna.eorfmq 

Avast 

Win32:WanaCry-A [Trj] 

Rising 

Ad-Aware 

Ransom.FileCryptor!8.1A7 (cioud:pN1yUsg5xNU) 
Trojan.GenericKD.5055387 

Emsisoft 

Trojan- Ran som. WanaC ry ptOr (A) 

Comodo 

T rojWare. Win32. Ransom, WannaCryptor.a 

F-Secure 

Dr Web 

VIPRE 

Trojan.GenericKD,5055387 

Trojan .Encoder. 11432 

Trojan .Win32.GenericiBT 

Trend Micro 

McAfee-GW’Edition 

Sophos 

ikarus 

WORM_WCRY.A 

Ranso m - Wa n naC ry186721E 64 FF B D 
TrojWanna-E 

Trojan.Win32.Filecoder 

F-Prot 

W32/WannaCrypt.D 

Jiangmin 

Web root 

Trojan.WanaCry.i 

W32. Ran som. Wan n ac ry 

Avira 

BDS/Agent.ilyda 

Endgame 

ViRobot 

Zone Alarm 

malicious (high confidence) 

Trojan.Win32.S.WannaCry.3723264.l[h] 
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Microsoft 

AhnLab-V3 

McAfee 

AVware 

VBA32 

ESET-NOD32 

Tencent 

SentinelOne 

Fortinet 

AVG 

Panda 

CrowdStrike 

Qihoo‘360 


R a nso m: Wi n 32 AA/a n naC ry pt. A! rs m 

Trojan/W]n32.WannaCryptorR200572 

GenericR-JTA!5BEF35496FCB 

Trojan.W]n32.GenenctBT 

suspected of Trojan.Downloader.gen.h 

Win32/Exploit.C VE-2017-0147. A 

Wi n3 2. Troja n. Ranso mware .Auto 

static engine - malicious 

W32/WannaCryptor.D!tr 

Ransom_r.CGA 

Trj/RansomCryptJ 

malicious_conf]denGe_100% (W) 

Win32/Trojan,Ransom.50f 


PE information 

Compiled 2010-11 -20T09:03:08Z 
PE Sections 


Name 

MD5 

Raw Size 

Entropy 

(header) 

2ed 157e77d0d2252c36eedfb2e2d3784 

4096 

0.726699793774 

.text 

c7613102e2ecec5dcefc144183189153 

36864 

6.13459082812 

.rdata 

d8037d744b539326c06e897625751cc9 

4096 

3.50361558618 

.data 

22a8598dG29Gad7078c291e94612Ge26 

159744 

6.10031814517 

,rsrc 

aa250ba035b78129d9S3f27904848732 

3518464 

7.99522172756 

Packers 




Name 

Version Entry Point 




Microsoft Visual C++ v6.0 NA NA 

Relationships 

(F)5bef35496fcbdbe841c82f4d1ab8b7c2(5bef3) Connected To ^ 

“ iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 

(F) 5bef35496fcbdbe841 c82f4d1 ab8b7c2 (5bef3) Dropped (F) tasksche.exe (86721} 


Description 

This artifact is a malicious PE32 executable that has been identified as a WannaCry ransomware dropper. Upon execution, the dropper 
attempts to connect to the following hard-coded URI: 


http [ :]//w ww[.] i u q e rf s od p 9 ifj a po sd f j hg o s u ri jf ae w rwe rg wea. co m. 


Displayed below is a sample request observed: 
-Begin request— 


GFT/HTTP/1.1 

Host: www[.]iuqerfsodp9ifjaposdfj hgosurijfaewrwergwea.com 
Cache-Control: no-cache 


-End request- 

If a connection is established, the dropper will terminate execution. If the connection fails» the dropper will infect the system with ransomware. 
When executed, the malware is designed to run as a service with the parameters ‘^-m security". During runtime, the malware determines the 
number of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to install itself as the 
following service: 


"Begin service- 


Serv ice Name = ’'mssecsvc2.0" 

DisplayName = "Microsoft Security Center (2.0) Service'* 
StartType = SERVICE_AUTO_START 
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BinaryPathName = ^’%current directory%5bef35496fcbdbe841c82f4cl1ab8b7c2.exe -m security" 


-End service- 


Once the malware starts as a service named msse€svc2.0, the dropper attempts to create and scan a list of IP ranges on the local network 
and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional 
thread to propagate by exploiting the SMBvl vulnerability documented by Microsoft Security bulletin MSI 7-010, The malware then extracts 
and installs a PE32 binary from its resource section named This binary has been identified as the ransomware component of 
WannaCrypt. The dropper installs this binary into X:\WINDOWSVtasksche exe," The dropper executes tasksche.exe with the following 
command: 

--Begin command- 

X:\WINDOWS\tasksche.exe ff 

-End command— 

Note: 

When this sample was initially discovered, the domain '■iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com" was not registered, allowing the 
malware to run and propagate freely. However within a few days, researchers learned that by registering the domain and allowing the 
malware to connect, its ability to spread was greatly reduced. At this time, all traffic to '■iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com'' is 
re-directed to a monitored, non-malicious server, oausing the malware to terminate if it is allowed to connect. For this reason, we recommend 
that administrators and network security personnel not block traffic to this domain. 


tasksche.exe 


Details 

Name 

Size 

Type 

MD5 

SHA1 

ssdeep 

Entropy 

Antivirus 


tasksche.exe 

3514368 

PE32 executable (GUI) Intel 80386, for MS Windows 
86721 e64ffbd69aa6944b9672bcabb6d 
8897c658c0373be54eeac23bbd4264687a141ae1 

98304:QqPoBh2laRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPu1Cxcxk3ZAEUadzR8yc4gB 

7.99546693739 


M i c ro Wo rid-eSca n 

Trojan .Ransom. Wa n naC ry pto r. A 

n Protect 

RansomA/V32.Wanna.3514368 

CAT-QuickHeal 

Ransom, Wan n aC ry Bot 

ALYac 

Trojan .Ransom. Wan naC ry pto r 

Malwarebytes 

Ra n so m. Wa naC ry ptO r 

K7GW 

Trojan (0050d7171 ) 

K7Anti Virus 

Trojan { 0050d7171 ) 

Arcabit 

Trojan. R a n so m. Wa n naC ry pto r. A 

Baidu 

Win32.Trpjan.WisdomEyes. 16070401.9500.9973 

F-Prot 

W32A/VannaCrypt.D 

Symantec 

Ransom,Wannacry 

T rend M i c ro-Hou seCa 11 

Ransom_WCRY,J 

Paloalto 

generic.ml 

OlamAV 

Win, Ransom ware, WannaCry-8313787-0 

GPata 

Wi n 32 .Trojan- Ransom .Wan naC ry, A 

Kaspersky 

Trojan-Ransom. Win32. Wanna.b 

BitDefender 

Trojan .Ransom. Wa n naC ry pto r. A 

NANO-Anti virus 

Trojan. Win32. Wan na.eorfmq 

Aegis Lab 

D rop ped. G e n eric. Ran som. Hy d rac ry pt! c 

Avast 

Win32:WanaCry-A [Trj] 

Tencent 

Win32.Trojan. Ransome.Vdfa 
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Ad-Aware 

Trojan. Ransom.WannaCryptor A 

Emsisoft 

Comedo 

F-Secure 

DrWeb 

Trojan.Ransom.WannaCryptorA (B) 

TrojWare. Win32.Ransom. WannaCryptor.a 

Trojan. Ransom.WannaCryptor.A 

Trojan. Encoder. 11432 

VIPRE 

Trojan.Win32.GenericIBT 

TrendMicro 

Ransom_WCRY.J 

McAfee-GW-Edition 

BehavesLike.Win32.Backdoor.wc 

Sophos 

Cyren 

Jiangmin 

Webroot 

Mai/Wanna-A 

W32mojan.AHAZ-1193 

Trojan. WanaCry.b 

W32,Ransomware,Wcry 

Avira 

Antiy-AVL 

Vi Robot 

ZoneAlarm 

Microsoft 

TR/AD.RansomHeur.aexdn 

Trojan[Ransom]AA/in32. Scatter 

Trojan.Win32.S.WannaCry.351436S.O[h] 

Trojan-Ransom.Win32.Wanna.b 

Ransom: Wi n 3 2 AA^an n aC ry pt 

AhnLab-V3 

Trojan AA/i n 32. Wan n aC ry pto r. R200571 

McAfee 

Ransom-WannaCry!36721 E64FFBD 

AVware 

Trojan.Win32.Gen0nc!BT 

ESET-NOD32 

Win32/Filecoder.WannaCryptor.D 

Rising 

Ikarus 

Maiware.Heuristic!ET#89% (cloud:vZkqDj6QDKF) 

Trojan. Win32. Filecoder 

Fortinet 

W32/WannaCryptor. D Itr 

AVG 

Panda 

CrowdStrike 

Qihoo-360 

M i cro Wo rid -eSca n 

n Protect 

Ransom_rCFY 

Trj/RansomCrypt.F 
maliciousjconfidence_69% (W) 

Wi n 32/Trojan. R a n so m. 50f 

Trojan .Ransom. Wa n naC ry pto r. A 

RansomAA/32. Wanna.3514368 

CAT-QuickHeal 

ALYac 

Ransom. Wan n aC ry Bot 

Trojan. R a n so m. Wan naC ry pto r 

Malwarebytes 

K7GW 

Ransom. WanaC ry ptO r 

Trojan (0050d7171 ) 

K7 Anti Virus 

Trojan (0050d7171 ) 

Arcabit 

Trojan .Ransom. Wa n naC ry pto r. A 

Baidu 

W]n32.Trojan.WisdomEyes. 16070401.9500,9973 

F-Prot 

Symantec 

Trend M i cro-Hou seCa 11 

Paloalto 

ClamAV 

W32AA/annaCrypt.D 

Ransom. Wannacry 

Ra n so m_WG R Y J 
generic.ml 

Wi n. Ranso m wa re. Wan n aC ry-6313787-0 

GData 

Wi n32.Trojan-Ransom .WannaCry. A 

Kaspersky 

BitDefender 

Trojan-Ransom. Win32. Wanna.b 

Trojan. Ransom .WannaCryptor.A 

NANO-Antivirus 

Trojan.Win32.Wanna, eorfmq 

Aegis Lab 

Avast 

Dropped.Generic. Ransom. Hydracryptlc 

Win32:WanaCry-A [Trj] 

Tencent 

Wi n32.Trojan. Ransome, Vdfa 

Ad-A ware 

Emsisoft 

Trojan. R a n so m. Wa n naC ry pto r. A 

Trojan.Ransom.WannaCryptor.A (B) 
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Comedo 

TrojWare. Win32.Ransom. WannaCryptor.a 

F-Secure 

Trojan. Ransom.WannaCryptor.A 

DrWeb 

Trojan. Encoder. 11432 

VIPRE 

Trojan.Win32.GenericIBT 

TrendMicro 

Ransom_WCRY.J 

M c Afee-G W- Ed i ti on 

Be h a ves Li ke. W i n 32. Backdo o r. wc 

Sophos 

Mal/Wanna-A 

Cyren 

W32mojan.AHAZ-1193 

Jiangmin 

Trojan. WanaCry.b 

Webroot 

W32,Ransomware,Wcry 

Avira 

TR/AD.RansomHeur.aexdn 

Antiy-AVL 

Trojan[Ransom]AA/in32, Scatter 

Vi Robot 

Trojan. Win32.S.WannaCry, 351436S.O[h] 

ZoneAlarm 

Trojan-Ransom.Win32.Wanna.b 

Microsoft 

Ransom :Win32AA/annaCrypt 

AhnLab>V3 

Trojan AA/i n 3 2. Wa n n a C ry pto r. R200571 

McAfee 

Ransom-WannaCry!86721 E64FFBD 

AVware 

Trojan.Win32.GenericIBT 

ESET-NOD32 

Wi n32/Filecoder. WannaCry ptor. D 

Rising 

Malware.Heuristic!ET#89% (cloud:vZkqDj6QDKF) 

Ikarus 

Trojan. Win32. Filecoder 

Fortinet 

W32AA/annaCryptor, D Itr 

AVG 

Ransom_rCFY 

Panda 

Trj/RansomCrypt.F 

GrowdStrike 

malicious_confidence_69% (W) 

Qihoo-36CI 

Wi n 32/Trojan. R a n so m. 50f 


PE Information 


Compiled 

2010-11-20T09:05:05Z 



PE Sections 

Name 

MD5 

Raw Size 

Entropy 

(header) 

d95b2ee2a80c00ca7d29c40b18c99393 

4096 

0,708880451742 

.text 

920e964050a1 a5dd60dd00083fd541 a2 

28672 

6.4042351061 

jdata 

2c42611802d5S5e6eed6S595876d1a15 

24576 

6,66357096841 

.data 

83506e37bd8b50cacabd480fSeb3849b 

8192 

4,45574950787 

,rsrc 

7e152ea77186bbe06de1f254ecd4e02e 

3448832 

7,99986707519 

Packers 

Name 

Version Entry Point 




Microsoft Visual C++ v6.0 NA NA 


Relationships 


(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721} 

Related_To 


(S) resit.PNG 
(F) b.wnry (cl 717) 

(F) c.wnry (ae08f) 

(F) t.wnry (5dcaa) 

(F) m^bulgarian.wnry (95673) 

(F) m_ch(nese (s]mplified).wnry (0252d) 
(F) m_chinese (tradit]onal).wnry (2efc3) 
(F) m_croatian.wnry (17194) 

(F) m_czech.wnry (537ef) 

(F) m_dani$h.wrry (2c5a3) 
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(F) tasksche.exe (86721) 

Related_To 

(F) m_dutch.wnry (7a8d4) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_english.wnry (fe68c) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_f]lip]no.wnry (08b9e) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_finnish.wnry (35c2f) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_french.wnry (4e571) 

(F) tasksche.exe (86721) 

Related_TQ 

(F) m_jgerman.wnry (3d59b) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_jgreek.wnry (fb4e8) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjndoneslan.wnry (3788f) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjtalian.wnry (30a20} 

(F) tasksche.exe (86721) 

Related_To 

(F) mjapanese.wnry (b77e1) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_korean.wnry (6735c) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjatvian.wnry (c33af) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_norwegian.wnry (ff70c) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_polish.wnry (e79d7) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_portuguese.wnry {fa948) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_romanian.wnry (313e0) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_russian.wnry (45261) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_slovak.wnry (cSHa) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_spanish.wnry (8d616) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_swedish.wnry {c7a19) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjurkish.wnry (531ba) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_vietnamese.wnry {8419b) 

(F) tasksche.exe (86721) 

Related_To 

(F) rwnry (3e002) 

(F) tasksche.exe (86721) 

Related_To 

(F) s,wnry (025ac) 

(F) tasksche.exe (86721) 

Related_To 

(F) taskdl.exe (4fef5) 

(F) tasksche.exe (86721) 

Related_To 

(F) taskse.exe (84954) 

(F) tasksche.exe (86721) 

Related_To 

(F) u.wnry (7bf2b) 

(F) tasksche.exe (86721) 

Dropped_By 

(F) 5bef35496fcbdbe841c82f4d1ab8b7c2 {5bef3) 


Description 

This artifact is a malicious PE32 executable that has been identified as the WannaCrypt ransomware component, named "tasksche.exe''. 
Installed by the dropper component during run-time, "tasksche exe’’ installs itself as a service with the following attributes: 

- Begin service- 

ServiceName = "wipqhztnxh610" 

Display Name = "wipqhztnxh610'' 

BinaryPathName = "cmd.exe /c "C:\ProgramData\wipqhztnxh610\tasksche.exe''" 


-End service— 


The malware creates the following registry key: 

-Begin registry key- 

HKEY_LOCAL_MACHINE 
Subkey = '^SoftwareVWanaCryptOr" 

ValueName = "wd" 

ValueData= "<malware working directory>" 

--End registry key- 

The file''tasksche.exe" contains a password protected zip archive in its resource section named "X\A\ During runtime, the malware extracts 
the archive contents using the password ''WNcry@2ol7" and installs the files on the victim's hard drive. Displayed below are the files in the 
archive and their functionality: 

- Begin archive file list - 

msg folder: == Contains multiple user manuals on different languages in RTF file format 
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b. wnry == Ransom message image file used to replace user's wallpaper 

c. wnry = It contains the C2 servers hidden in the network TOR: 
rwnry == It explains what has happened and how to pay the ransom 

t. wnry = It has AES encrypted plug-in which is responsible for encrypting the victim users files, 
s.wnry == TOR library that is imported by u.wnry 

u. wnry = Interactive TOR client that will enable a victim user to submit payment to the hackers via a secure TOR session. 
taskdl.exe == supportive file used to search for the string ''\$RECYCLE\*,WNCRYT" 

taskse.exe == supportive file for Remote Desktop Services 

“End archive files-- 
Screenshots 


• resH.PNG 



Date modified 

Type 

Sue 

i, msg 

5/14^2017 9:15 PM 

File folder 


[_j b.wnry 

5/11/2017 7:13 m 

WNRY File 

1,407 KB 

cwnry 

SAl/2017 7:11 AM 

WNRYfile 

1KB 

r.vynry 

5/11/2017 2:59 AM 

WNRYfjle 

1KB 

|_J s.wniy 

5/9/2017 3:58 AM 

WNRY File 

23 KB 

r 1 t.wnry 

5/11/2017102 PM 

WNRY File 

65 KB 

111 taskdl.tx* 

5/11/20171:22 PM 

Application 

20 KB 

in task£e.«xt 

5/11/2017 1:22 PM 

Application 

20 KB 

Du.vwuy 

5A1/20171:22 PM 

WNRY File 

240 KB 


Image 2: Files contained in this embedded archive in the resource section named "XIA" 


4da1 f312a214c07143abeeafb6d5dd04 


Details 

Name 4da1f312a214c07143abeeafb695d904 
Size 4497408 


Type PE32 executable (GUI) Intel 80386, for MS Windows 
MD5 4da1 f312a214c07143abeeafb695d904 


SHA1 

ssdeep 

Entropy 


b629f072c9241 fd2451 f1 cbca2290197e72a8f5e 
9S304:zcl8HbSxeeqe5hXlplyS+PiwTNI/iZ102q7O3cOtgP5HYPNtNO8 
/l04miT4RTMpK:zD28tqeDNPLTmZR4Ou5HSNbOR04g5MpK 
7.99683684716 


Antivirus 


Bkav 

W32.Clod284.Trojan.e098 

M i cro Wo rid -eSca n 

Trojan.GenericKD .4829301 

CAT'QuIckHeal 

Ransom.Genasom 

ALYac 

Trojan. Ransom. WannaCryptor 

Malwarebytes 

Ransom. Wan n aC ry pt 

Aegis Lab 

Backdoor. W32.Farfliic 

K7Anti Virus 

Riskware ( 0040eff71 ) 

K7GW 

Riskware (0040eff71 ) 

Baidu 

Win32.Trojan.WisdomEyes. 16070401.9500,9995 

Cyren 

W32/Trojan.ZEBS-1630 

Symantec 

Ransom. Wannacry 

ESET-NOD32 

a variant of Win32/Filecoder.WannaCryptor.D 

T rend M i cro-Hou seCa 11 

Ra n so m_W C R Y. F117 D B 

Paloalto 

generic.ml 
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ClamAV 

WinTrojan Agent-6258665-0 

Kaspersky 

Backdoor. Win32. Farfli.atmr 

BitDefender 

Trojan.GenericKD .4829301 

NANO-Anti virus 

Trojan.Win32.Farf]i.enstjk 

Avast 

Win32: Mai ware-g e n 

Ad-Aware 

Trojan.GenericKD .4829301 

Sophos 

Mal/Wanna-A 

Comodo 

Troj Ware. JS.Trojan. Download. 

F-Secure 

Trojan.GenericKD.4829301 

DrWeb 

Trojan.Encoder.10718 

VIPRE 

Trojan.Win32.Genenc!BT 

TrendMicro 

Ransom_WCRYF117DB 

McAfee-GW-Edition 

BehavesLike.Win32.Downloaderrc 

Emsisoft 

Trojan-Ransom.WannaCryptor (A) 

F-Prot 

W32/WannaCrypt.H 

Jiangmin 

Backdoor. Farfli.bde 

Webroot 

W32.Trojan.Gen 

Avira 

TFty Drop per. gafex 

Fortinet 

W3 2/Fi I ecod er_Wan n aC ry pto r. B !tr 

Antiy-AVL 

Trojan[Backdoor]A/Vin32.Farfli 

Endgame 

malicious (high oonfidence) 

Arcabit 

Trojan.Genehc.D49B075 

Vi Robot 

Trojan.Win32.WannaCryptor.4497408[h] 

ZoneAlarm 

Backdoor. Win32. Farfli.atmr 

Microsoft 

Ransom:Win32/Genasom 

AhnLab-V3 

TrojanAA/in32.WCrypto.R199610 

McAfee 

Ransom-WannaCry!4DA1 F312A214 

AVware 

Trojan. Win32.GenericIBT 

VBA32 

Backdoor.Farfli 

Tencent 

Win32.Trojan. Baas. Auto 

Yandex 

Trojan. Filecoderlg RTNEfeDeo4 

Ikarus 

Trojan. Win32. Filecoder 

GData 

Trojan.GenericKD.4829301 

AVG 

FileCryptor.OUA 

Panda 

Trj/CI.A 

Crowd Strike 

mal ic io us_co n f idence_62% {W) 


PE information 


Compiled 

2017-04-08T21:36:48Z 



PE Sections 

Name 

MD5 

Raw Size 

Entropy 

(header) 

C4af8d472d9b961126087951 Ofcl 37a1 

4096 

0.710572941802 

.text 

d09045cdfcf8ee598beaf3391623aec5 

26672 

6.11147819166 

.rdata 

9ec77c0e054f493084d66f0939e94d7e 

24576 

6,54607243406 

.data 

297a4b644479ae0224207d6a96b81c49 

8192 

4.0949667335 

.rsrc 

f4b80cdf5638bcabc3292ee19e7e528f 

4431872 

7.9999601862 

Packers 

Name 

Version Entry Point 




Microsoft Visual C++ v6.0 NA NA 


Relationships 
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(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

RelatedJTb 

(S) res22.PNG 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) b,wnry (cl 717) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) c.wnry (ae08f) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) t.wnry (5dcaa) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) s.wnry (025ac} 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) r.wnry (3e002) 

(F) 4da1 t312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) u wnry (7bf2b) 


Description 

This artifact is a malicious PE32 executable that has been identified as the WannaCrypt ransomware component, normally named 
"tasksGhe.exe'^ when dropped. The dropper component that installs this file was not part of the submission. It contains an embedded 
resource named ''PK". This resource is a compressed archive that is protected with the password ‘Wor(3)123’\ This compressed archive 
contains the following files: 


“Begin Files Within PK Archive— 

Name: b,wry 

MD5: 99AE8326B4BC406DAF54DDC7C5E43ABE 
Name: c.wry 

MD5: 725BF255D114B71AACB9E610BB92027A 
Name: m.wry 

MD5: 54C0E4AA798CE82886A96BA4BB449188 
Name: r.wry 

MD5: 880E6A619106B3DEF7E1255F67CB8099 
Name: s.wry 

MD5: 7CF776F898D58F8BE1C44F254FC00643 
Name: t,wry 

MD5: 48099908E66D81901EB2076702AFD73C 
Name; u.wry 

MD5: B27F095F305CF940BA4E85F3CBS48819 
- End Files Within PK Archive— 

During runtime, the malware decrypts the Windows DLL contained in t.wry by reading the first 8 bytes and comparing the data to the ASCII 
value "WANNACRYL If it matches, the malware then reads 256 bytes of the file starting at byte 12, The malware then decrypts these 256 
bytes using a hard coded private RSA2 key This produces the following 16-byte value. 

-Begin 128 Bit AES Key— 

896F1BB014E66A6DC5ED5DD687D305A4 

-End 128 Bit AES Key— 

These 16-bytes will be used by an embedded AES algorithm to decrypt the actual data contained within the encrypted file, beginning at byte 
280. This reveals the embedded DLL, which will be utilized to encrypt the victim's files. It is important to note that this newly decrypted DLL 
contains two hard coded RSA1 keys. During the encryption process, this DLL will generate a new pseudo random AES 128-bit key for each 
file it encrypfs. The target file is then encrypted with this AES key. Next, the AES key is encrypted using the hardcoded RSA1 key and tacked 
to the beginning of the file. This DLL will attempt to encrypt files on the victim’s primary hard drive, as well as attached physical and network 
drives. Encrypted files are appended with a ,WCRY extension. 

These encrypted files have a similar format to the file "LwryL in that the first 8 bytes will contain the ASCII value WANNACRY After this 
value there will be a four byte marker ”0x00 0x01 0x00 0x00", followed by 256 bytes with the end marker "0x40 0x00 0x000x00 '. This marked 
256 byte sequence contains the 128 bit AES key, encrypted by RSA, which may be used to decrypt the victim's data within the file. 
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Screenshots 
• res22.PNG 


Name 

Date modified 

Type 

n b.wfy 

4/3/201712:31 AM 

WRY File 

Q c.wry 

4/5/201711:54 AM 

WRY File 

Q m.wry 

3/4/2017 3;37 AM 

WRY File 

Q r.wfy 

3/9/2017 445 AM 

WRY File 

Q s.wry 

3/9/20176:51 AM 

WRY File 

Q t.wfy 

4/8/2017 5:36 PM 

WRY Fife 

Q y-wty 

4/8/2017 5:36 PM 

WRY File 


Image 3: Files contained in this embedded archive in the resource section named "PK'^ 


b.wnry 

1440054 

PC bitmap, Windows 3.x format, 800 x 600 x 24 

c17170262312f3be7027bc2ca825bf0c 

f 19ecedaS2973239a1fdc5S26bce7691 e5dcb4fb 

384:7Y z u P4ti u Ou b2 Wu z vq 0 Fg jexqOS Xg Y WTI Wv/+: s b L+ 

0.336339312356 


Wi n 32/F] I eco de r. Wa n naC ry pto r. D 
Ransom :Win32AA/annaCrypt.Airsm 
Troj a n. Wi n 3 2. Fi lecod e r 
Gene ri c. Tro j a n. Ag e nt .T F W01J 
Trojan.Generic 

Wi n 32/Fi I ecQ de r. Wa n naC ry pto r. D 
Ran som: Wi n 3 2 A/Van n aC ry pt. A! rs m 
Trojan. Win32. Filecoder 
Generic.Trojan .Agent.TFWOI J 
Trojan.Generic 


b.wnry 

Details 
Name 
Size 
Type 
MD5 
SHA1 
ssdeep 
Entropy 

Antivirus 
ESET-NOD32 
Microsoft 
Ikarus 
GData 
Qihoo-360 
ESETNOD32 
Microsoft 
Ikarus 
GData 
Qihoo-360 

Relationships 

(F) b.wnry (c1717) Related_To 

(F) b.wnry (c1717) Related_To 

(F) b.wnry (cl 717) Related_To 


(S) Ooops.PNG 

(F) tasksche.exe (86721) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 


Description 

This file is a bitmap image file depicting the ransom message and replaces the victim's wallpaper. 

Screenshots 


• Ooops.PNG 
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Image 1: Ransom message image file used to replace user’s wallpaper 


c.wnry 


Details 

Name c.wnry 
Size 780 


Type 

MD5 

3HA1 

ssdeep 

Entropy 


data 

ae08f79a0dS00b82fcbe1 b43cdbdbefc 
f6b08523b1 a836e2112875398ffefffde98ad3ca 

6:cL+qaHqHgVcKKfF9mHRMMPRGS37LIN/sUQqGUSGeTsdEC:cjaRVcKKfm2MYS3sUQqGLGeTEV 

1.9906166083 


Antivirus 


Microsoft Ransom:Win32A/VannaCry pt. A Irsm 

Microsoft Ransom :Win32AA/annaCrypt.A!rsm 

Relationships 



(F) c.wnry (ae08f) 

Related_To 

(F) tasksche.exe (86721) 

(F) c.wnry (ae08f) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f} 

(F) c.wnry (aeOSf) 

Contains 

(D) gx7ekbenv2riucmf.onion 

(F) c.wnry (ae08f) 

Contains 

(D) 57g7spgrzlojinas.onion 

(F) c.wnry (aeOSf) 

Contains 

(D) xxlvbrloxvny2c5.onion 

(F) c.wnry (ae08f) 

Contains 

(D) 76jdd2ir2embyv47.onion 

(F) c.wnry (ae08f) 

Contains 

(D) cwwnhwhl252maqm7,onion 


Description 

This is a data file, which contains the C2 servers hidden within the TOR network. Displayed below are samples observed during analysis: 


- Begin C2- 


gx7ekbenv2riucmf.onion 
57g7spgr2lojinas.onion 
X XI vbrio XV ri y2c5. on ion 
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76jdd2ir2embyv47.onion 
cwwn h wh Iz52 m aqm7 .onion 

-End C2- 


t.wnry 

Details 

Name 

Size 

Type 

MD5 

SHA1 

ssdeep 

Entropy 

Antivirus 


twnry 

65816 

data 

5dcaac857e695a65f5c3ef1441 a73a8f 

7b10aaeee05e7a1 efb43d9f837e9356ad55c07dd 

1536:am+vLII5ygV8/tuH+P92xqDKvARpmKiRMkTERU:a9LAg4tXPTEKvADmFgRU 

7.99727613788 


M1 cro Wc rid -eSca n 

Trojan.GenericKD .5057663 

Symantec 

Trojan.Gen.SIcloud 

TrendMicro-HouseCall 

Suspicious_GEN.F47V0513 

BitDefender 

Trojan.GenericKD.5057663 

Ad-Aware 

Trojan.GenericKD.5057663 

F-Secure 

Trojan.GenericKD.5057663 

Emsisoft 

Trojan.GenericKD.5057663 (B) 

Arcabit 

Trojan.Generic.D4D2C7F 

Microsoft 

Ransom :Win32AA/annaCrypt.A !rsm 

Ikarus 

Ransom. Win32. WannaCrypt 

GData 

Trojan.GenericKD .5057663 

Qihoo-360 

Trojan.Generic 

M1 cro Wo rid -eSca n 

Trojan.GenericKD .5057663 

Symantec 

Trojan.Gen.SIcloud 

T rend M i c ro-Hou seCa 11 

Suspicious_GEN.F47V0513 

BitDefender 

Trojan.GenericKD.5057663 

Ad-Aware 

Trojan.GenericKD.5057663 

F-Secure 

Trojan.GenericKD.5057663 

Emsisoft 

Trojan.GenericKD.5057663 (B) 

Arcabit 

Trojan.Generic.D4D2C7F 

Microsoft 

Ransom:Win32AA/annaCrypt.Alrsm 

Ikarus 

Ransom. Win32. WannaCrypt 

GData 

Trojan .Gene ricK D.5057663 

Qihoo-36D 

Trojan.Generic 


Related_To 
Related To 


(F) tasksche.exe (86721) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 


Relationships 

(F) twnry (5dcaa) 

(F) twnry (5dcaa) 

Description 

This artifact is a malicious PE32 executable containing the primary component responsible for performing the encryption of the victim's files. 
Importantly, this fiie appears to be encrypted in the same manner in which the ransomware encrypts the victim’s files. This would suggest the 
“decryptor” if purchased from the adversary via paid ransom, would decrypt the victim's files in the same way. 

m_bulgarian.wnry 

Details 

Name m_bulgarian.wnry 
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Size 


47879 


Type 

MD5 

SHA1 


Rich Text Format data, version 1 , unknown character set 
95673b0f968c0f55b32204361940d184 
81 e427d15a1 a826b93e91 c3d2fa65221cSca9cff 


ssdeep 76S:Shef3jHdCG28Eb1 tyGi8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De 
Entropy 4.95061166753 


Antivirus 

ES ET-NOD32 Wl n 32/F] I eco de r. Wa n naC ry pto r. D 
ES ET-NOD32 Wl n 32/F] I eco de r. Wa n naC ry pto r. D 


Relationships 

(F) m^bulgarian.wnry (95673) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Bulgarian. 


m_chinese (simplified).wnry 


Details 

Name m_chinese (simplifiedj.wnry 
Size 54359 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

0252d45ca21c8e43c9742285c48e91ad 

5c14551d2736eef3a1c1970cc492206e531703c1 

768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB 

5.01509344454 


Antivirus 

ESET-NOD32 W]n32/F] lecoder. WannaCryptor. D 
ESET-NOD32 W]n32/Fi lecoder. WannaCryptor. D 


Relationships 

(F) mjchinese (simplified) .wnry (0252d) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Chinese (simplified). 


mjchinese (traditional).wnry 


Details 

Name 

Size 

Type 

MD5 

SHA1 


m_chinese (traditional).wnry 
79346 

Rich Text Format data, version 1, unknown character set 

2efc3690d67cd073a9406a25005f7cea 

52c07f98S70eabace6ec370b7eb562751e8067e9 


ssdeep 768:SDwtk2jHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwy[nlwDOHEhm/v:SDn25Rt4D4 
Entropy 4.90189108744 


Antivirus 

ESET-NOD32 Win32/Filecoder.WannaCryptor.D 
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 


Relationships 

(F) m_chinese (traditional).wnry (2efc3) Related_To (F) tasksche.exe (86721) 

Description 
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This artifact is an RTF formatted ransom note containing payment instructions, written in Chinese (traditional). 


m_croatian.wnry 


Details 

Name m_croatian.wnry 
Size 39070 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
17194003fa70ce477326Ge2f6deeb270 
e325988f68d327743926ea317abb9882f347fa73 

384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8cS/868H1F8E8/SZ3m8VdAmS6a8n:Shef3jHd3G2n+p/mZrS14A 

5.03796878473 


Antivirus 

ESET-NOD32 Win32/FiiecoderWannaCryptor.D 
ESET-NOD32 Win32/FiiecoderWannaCryptor.D 


Relationships 

(F) m_croatian.wnry (17194) Reiated_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Croatian, 


m_czech.wnry 


Details 

Name m_c 2 ech.wnry 
Size 40512 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1 , unknown character set 

537efeecdfa94cc421e58fd82a58ba9e 

3609456e16bc16ba447979f3aa69221290ec1 ?d0 

384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k128M8l818E838C8A8s:Shef3jHd2G26nyMZrS14g 

5.03594913469 


Antivirus 

ESET-NOD32 Win32/Fi iecoder, WannaCryptor. D 
ESET-NOD32 Win32/Fi iecoder. WannaCryptor. D 


Relationships 

(F) m_czech.wnry (537ef) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Czech. 


m_danish.wnry 


Details 

Name m_danish.wnry 
Size 37045 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
2c5a3b81d5c4715b7bea01033367fcb5 
b548b45da8463e 17199daafd34c23591 f94e82cd 

384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q 

5.02868302371 


Antivirus 

ESET-NOD32 Win32/Fi iecoder. WannaCryptor.D 
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ES ET-NOD32 Wi n 32/F] I eco de r. Wa n naC ry pto r. D 
Relationships 

(F) m_danish.wnry (2c5a3) Related_To (F) tasksche.exe {86721) 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Ddanish. 


m_dutch.wnry 


Details 

Name m_dutGh.wnry 
Size 36987 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

7a8d499407c6a647c03c4471a67eaad7 

d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b 

384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31 dv61 Qyz:Sw3BHSWjHdBG2/UhsZrSl 4f 
5.03616020597 


Antivirus 

ES ET-NOD32 WI n 32/F] I eco de r. Wa n naC ry pto r. D 
ESET-NOD32 Win32/Fi lecoder. WannaCryptor. D 


Relationships 

(F) m_dutch.wnry (7aSd4) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Dutch. 


mL_english.wnry 


Details 

Name m_english.wnry 
Size 36973 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
fe68c2dc0d2419b38f44d83f2fcf232e 
6c6e49949957215aa2f3dfb72207d249adf36283 

384:S93BHSj2cguALeT+sP2y3EFHjHdM2EG2YLC703eo75Y3kmA31dv61QyW:S93BHSTjHdOG2YLCZrS14y 

5.04061161642 


Antivirus 

ESET-NOD32 Win32/Fi lecoder. WannaCryptor.D 
ESET-NOD32 Win32/Fi lecoder. WannaCryptor.D 

Relationships 

(F) m_english.wnry (fe68c) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note oontaining payment instructions, written in English. 


A sample of the text is shown below: 

What Happened to My Computer? 

Your important files are encrypted. 

Many of your documents, photos, videos, databases and other files are no longer accessible because 
they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not 
waste your time. Nobody can recover your files without our decryption service. 

Can I Recover My Files? 

Sure. We guarantee that you can recover all your files safely and easily. But you have not so 
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enough time,You can decrypt some of your files for free. Try now by clicking <Decrypt>. 

But if you want to decrypt all your files, you need to pay.You only have 3 days to submit the payment 

After that the price will be doubled. Also, if you donl pay in 7 days, you won't be able to 

recover your files forever.We will have free events for users who are so poor that they couldn't pay in 6 months. 

How Do I Pay? 

Payment is accepted in Bitcoin only. For more information, cilok <About bitcoln>. Please check 
the current price of Bitcoin and buy some bitcoins. For more information, click <How to buy bitcoins>. 

And send the correct amount to the address specified in this window. After your payment, 

click <Check Paymenb-. Best time to check: 9:00am -11:00am GMT from Monday to Friday. Once the payment 

is checked, you can start decrypting your files immediately. 

Contact 

If you need our assistance, send a message by clicking <Contact Us>.We strongly recommend you to not 
remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. 

If your anti-virus gets updated and removes this software automatically, it will not be able to recover 
your files even if you pay! 


mjilipino.wnry 


Details 

Name mjilipino.wnry 
Size 37580 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1 , unknown character set 
0Sb9e69b57e4c9b966664f8e 1 c27ab09 
2da1025bbbfb3cd308070765fc0893a48e5a85fa 

384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N 

5.04581932168 


Antivirus 

ESET-NOD32 Wln32/FI lecoder, WannaCryptor. D 
ESET-NOD32 Win32/Fi lecoder. WannaCryptor. D 


Relationships 

(F) mjilipino.wnry (08b9e) Related_To (F) tasksche.exe {86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written In Filipino. 


mjinnish.wnry 


Details 

Name mjinnish.wnry 
Size 38377 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
35c2f97eea8a 19b1 oaebd23f ee732d8f 
e354d1co43d6a39d9732adea5d3b0f57284255d2 

384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1A03ZrS14l 

5.03093847336 


Antivirus 

ESET-NOD32 Win32/Fi lecoder. WannaCryptor.D 
ESET-NOD32 Wln32/FI lecoder. WannaCryptor.D 


Relationships 

(F) mjinnish.wnry {35c2f) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Finnish. 
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m^french.wnry 


Details 

Name mjrench.wnry 
Size 38437 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
4e57113a6bf6b88fdd327S2a4a381274 
0fccbc91 f0f94453d91670c6794f7134871106 Id 

384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31 dv61 Qyg :Shef3jHdOG2smJZrS14M 
5.03112667661 


Antivirus 

ESET-NOD32 W]n32/F]lecoder.WannaCryptor.D 
ES ET-NOD32 Wl n 32/F] I eco de r. Wa n naC ry pto r. D 


Relationships 

(F) mjrench.wnry (4e571) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in French. 


m_german.wnry 


Details 

Name m_german.wnry 
Size 37181 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1 , unknown character set 
3d59bbb5553fe03a89f8178195401469 
26781 d4b06ff704800b463d0f1fca3afd923a9fe 

384:SheftipUENLFsPzy3EFHjHdN26G2VSA1leo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w 

5.03973926795 


Antivirus 

ESET-NOD32 Win32/Fi lecoder. WannaCryptor. D 
ESET-NOD32 Win32/Fi lecoder. WannaCryptor. D 


Relationships 

(F) m_german.wnry (3d59b) Relatedjfb (F) tasksche.exe (86721} 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in German. 


m_greek,wnry 


Details 

Name m greek.wnry 
Size 49044 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

fb4e8718fea95bb7479727fde80cb424 

1088c7653cba385fe994e9ae34a6595898f20aeb 

384:SheftipUENLFsP2y3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q 

4.91009563462 


Antivirus 

ESET-NOD32 Win32/Fi lecoder. WannaCryptor. D 
ESET-NOD32 Win32/Fi lecoder. WannaCryptor.D 


Relationships 
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(F) m_greek.wnry (fb4e8} Related_To (F) tasksche.exe (86721) 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Greek. 


mjndonesian.wnry 


Details 

Name mjndonesian.wnry 
Size 37196 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
3788f91 c694dfc48e12417ce93356b0f 
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7 

384:Sw3BHSj2cLeT+sP2y3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14l 

5.03926854193 


Antivirus 

ESET-NOD32 Win32/Fi lecoder. WannaCryptor. D 
ESET-NOD32 Win32/Fi lecoder. WannaCryptor.D 


Relationships 

(F) mjndonesian.wnry (3788f) Related_To (F) tasksche.exe {86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Indonesian. 


mjtalian.wnry 


Details 

Name mjtalian.wnry 
Size 36883 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

30a200f78498990095b36f574b6e8690 

c4b1b3c087bd12b063e98bca464cd05f3f7b7882 

384:Sheft]pUENLFsP2y3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R 

5.02804819173 


Antivirus 

ESET-NOD32 W]n32/F] lecoder. WannaCryptor.D 
ESET-NOD32 W]n32/F] lecoder. WannaCryptor.D 


Relationships 

(F) mjtalian.wnry {30a20) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written In Italian, 


mjapanese.wnry 


Details 

Name mjapanese.wnry 
Size 81844 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
b77e 1221 f7ecd0b5d696cb66cda1609e 
51 eb7a254a33d05edf188ded653005dc82de8a46 

384:SXZ0j2cKKwd1 lksPzy3EFHjHdl2MG275rQeo75Y3kmA31 dv61 Qyr:SX20qbjHd4G2RNZrS14P 
4.8502578701 
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Antivirus 


ESET-NOD32 
Trend M i cro-Hou seCa 11 
Tencent 
Ikarus 
ESET-NOD32 


TrendMicro-HouseCall 

Tencent 

Ikarus 


Wi n32/Filecoder. WannaCry ptor. D 
TROJ^RANSOM NOTE. RTF 
Wi n32.Trojan. Filecoder. Pfte 
Trojan. Wi n 32. Fi iecoder 
Wi n 32/Filecoder. WannaCry ptor. D 
TROJ_RANSOM NOTE. RTF 
Win32.Trojan. Filecoder. Pfte 
Trojan. Win32. Filecoder 


Relationships 

(F) mJapanese.wnry (b77e1) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written In Japanese, 


m_korean.wnry 

Details 
Name 
Size 
Type 
MD6 
SHA1 
ssdeep 
Entropy 

Antivirus 

ESET-NOD32 Win32/Filecoder.WannaCryptor.D 
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 

Relationships 

(F) m_korean.wnry {6735c) Related_To (F) tasksche.exe (86721) 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Korean. 


m_korean.wnry 

91501 

Rich Text Format data, version 1, unknown character set 
6735cb43fe44832b061 eeb3f5956b099 
d636daf64d524f81367ea92fdafa3726c909bee1 

768: S h ef3j Hd U G 2 N Qc bxf S VZ iG 9j vi 3//Z Vr M Q r7 p EK C H S12 Ds Y78 p i TDtTaSB xzB wd Y :S hei a D q 
4.84183050451 
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mjatvian.wnry 


Details 

Name mjatvian.wnry 
Size 41169 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

c33afb4ecc04ee1bcc6975bea49abe40 

f bea4f170507cde02b839527ef50b7ec74b4821 f 

384:SheftipU EN LFsPzy3EFHjHdcqH24G2ZN 1 EDCv3ApbOWD5g YV/S4L3rnzdeo75Y3f :Shef3j HdcMG2NpZrS 14F 
5.0306952962 


Antivirus 

ESET-NOD32 W]n32/F]lecoder.WannaCryptor.D 
ES ET-NOD32 Wl n 32/F] I eco de r. Wa n naC ry pto r. D 


Relationships 

(F) mjatvian.wnry (c33af) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Latvian. 


m_norwegian.wnry 


Details 

Name m_norwegian.wnry 
Size 37577 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1 , unknown character set 
ff70cc7c00951084175d12128ce02399 
75ad3b1ad4fb14813882d88e952208c648f1 fd18 

384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31 dv61 Qy5:Shef3jHdGG23KrDZrS141M 
5.02583682362 


Antivirus 

ESET-NOD32 Win32/Fi iecoder. WannaCryptor. D 
ESET-NOD32 Win32/Fi iecoder. WannaCryptor. D 


Relationships 

(F) m_norwegian.wnry (ff70c) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Norwegian. 


m_polish,wnry 


Details 

Name m_polish.wnry 
Size 39896 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
e79d7f2833a9c2e2553c7fe04a1 b63f4 
3d9f56d2381 bSfel 6042aa7c4feb1 b33f2baebff 

384:SheftipUENLFsP2y3EFHjHdD2SG2gA8w80J6868jy8/8w8mST848fSy858l8j8yv:Shef3jHdxG2KhuZrS14G 

5.04854100247 


Antivirus 

ESET-NOD32 Win32/Fi iecoder. WannaCryptor.D 
ESET-NOD32 Win32/Fi iecoder. WannaCryptor.D 


Relationships 
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(F) m_polish.wnry (e79d7) Related_To (F) tasksche.exe (86721) 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Polish 


m_portuguese.wnry 


Details 

Name m_portuguese.wnry 
Size 37917 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

f a948f7d8df b21 ceddd6794f2d56b44f 

ca915fbe020caa88dd776d89632d7866f660fc7a 

384:SheftipUENLFsP2y3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p 

5.02787228176 


Antivirus 


ESET-NOD32 

Ikarus 

ESET-NOD32 

Ikarus 


Wi n 32/Fi I eco de r. Wa n naC ry pto r. D 
Win32.0utbreak 

Win32/Filecoder.WannaCryptor.D 

Win32.0utbreak 


Relationships 

(F) m_portuguese.wnry (fa948) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written In Portuguese. 


m_romanian.wnry 


Details 

Name m_romanian.wnry 
Size 52161 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
313e0ececd24f4fa1504118a11 bc7986 
e 1 b9ae804c7f b 1 d27f39db 18dc0647bb04e75e9d 

768:Shef3jHdXG2Cz2/vBAOZsQOOcLfn F/Zhcz7sDsYZBB/0g BjL+l U/hbhM VDtsR49P:ShehlrGR 1 m4dx9mj VyAvg7ou DT 
4.96430694991 


Antivirus 

ESET-NOD32 W]n32/F]lecoder.WannaCryptor.D 
ESET-NOD32 W]n32/F] lecoder. WannaCryptor. D 


Relationships 

(F) m_romanian.wnry (313e0) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Romanian. 


m_russian.wnry 


Details 


Name m_russian.wnry 
Size 47108 


Type 

MD5 

SHA1 


Rich Text Format data, version 1, unknown character set 
452615db2336d60af7e2057481 e4cab5 
442e31t6556b3d7de6eb85fbac3d2957b7f5eac6 
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ssdeep 384:SheftipU EN LFsPzy3EFHjHdg2qG2aUGsOK6lyZqmfGGH RblldORZeo75Y3kmA31 L:Shef3j HdeG2IGsDOcZxbP7ZrS 1 4K 
Entropy 4.95277769168 

Antivirus 

ESET-NOD32 
TrendMicro-HouseCall 
TrendMicro 
Microsoft 
Tencent 
Ikarus 
ESET-NOD32 
TrendMicro-HouseCaii 
TrendMicro 
Microsoft 
Tencent 
Ikarus 

Relationships 

(F) in_russian.wnry (45261) Reiated_To (F) tasksche.exe (86721} 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Russian. 


W]n32/Filecoder.WannaCryptor.D 
TROJ_RANSOMNOTE.RTF 
TROJ^RANSOM NOTE. RTF 
Ransom :Win32AA/annaCrypt.A !rsm 
Win32 .Trojan. Fi iecod er. Pa iq 
Trojan. Wi n 3 2. Fi iecod er 
Wi n 32/Fi Iecod er. Wan naCryptor. D 
TROJ_RANSOM NOTE. RTF 
TROJ_RANSOM NOTE. RTF 
Ransom:Win32A/VannaCrypt.A!rsm 
Win32.Trojan.Fiiecoder.Paiq 
Trojan. Win32. Fiiecoder 


m_slovak.wnry 


Details 

Name m_siovak.wnry 

Size 41391 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
c911 aba4ab1 da6c28cf86338ab2ab6cc 
fee0fd58b8efe76077620d8abc7500dbfef7c5b0 

384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8i8x838ZSQ808m8d8T8hw:Shef3jHdZvG23AZrS14f 

5.02773096628 


Antivirus 

ESET-NOD32 W]n32/Filecoder.WannaCryptor.D 
ESET-NOD32 W]n32/F] I ecoder. Wan naCryptor. D 


Reiationships 

(F) m_slovak.wnry (c91 la) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Slovak. 


m_spanish.wnry 


Details 

Name m_spanish.wnry 
Size 37381 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 

8d61648d34cba8ae9d1e2a219019add1 

2091 e42fc17a0cc2f235650f7aad87abf8ba22c2 

384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYIujeMQ9RXmhRweo75Y3kmA3lS:Shef3jHdrG2fuhZrSl4T 

5.02443306661 


Antivirus 
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ES ET-NOD32 Wl n 32/F] I eco de r. Wa n naC ry pto r. D 
ES ET-NOD32 Wi n 32/F] I eco de r. Wa n naC ry pto r. D 

Relationships 

(F) m_spanish,wnry (8d616) Related_To (F) tasksche.exe (86721) 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Spanish. 


m_swedish-wnry 


Details 

Name m_swedish.wnry 
Size 38483 


Type 

MD5 

SHA1 


ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
c7a19984eb9f37198652eaf2fd1 ee25c 
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae 

384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31 dv61 QyE:Shef3jHd/G2w6ZrSl 4w 
5.02297273663 


Antivirus 

ESET-NOD32 W]n32/F] leccder. WannaCryptor. D 
ESET-NOD32 Win32/F] leccder. WannaCryptor. D 


Relationships 

(F) m_swedish.wnry (c7a19) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Swedish. 


m_turkish.wnry 


Details 

Name m_turki$h.wnry 
Size 42582 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


Rich Text Format data, version 1, unknown character set 
531 ba6b1 a5460fc9446946f91 cc8c94b 
Cc56978681bd546fd82d87926b5d9905c92a5803 

384:Sheft]pUENLFsP2y3EFHjHds42WG2m2Gu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149 

5.01072237707 


Antivirus 

ESET-NOD32 Win32/Filecoder.WannaCryptor.D 
ESET-NOD32 Win32/Filecoder.WannaCryptor.D 


Relationships 

(F) m_turkish.wnry {531 ba) Related_To (F) tasksche.exe (86721) 


Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Turkish, 


m_vietnamese.wnry 


Detaiis 

Name 

Size 

Type 

MD5 


m_vi etn a m ese. wn ry 
93778 

Rich Text Format data, version 1, unknown character set 
8419be2Sa0dcec3f55823620922b00fa 
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TLP:WHITE 


SH A1 2e4791 f 9cdfca8abf345d606f 3 1 3d22b36c46b92 

s sd eep 384: S h efti p U E N L Fs Pzy3 E F Hj H d W2 YG22c Vi Qj 3 Kl GSd pc H 8 IE riG 8 E80S3 Jz5 2sx G8 h: Shef 3 j H d WG2+o PZrS 14 i 
Entropy 4.762061349 

Antivirus 

ESET-NOD32 
Trend M i cro-Hou seCa 11 
TrendMicro 
Microsoft 
Tencent 
Ikarus 
GData 
ESET-NOD32 
TrendMicro-HouseCall 
TrendMicro 
Microsoft 
Tencent 
Ikarus 
GData 

Relationships 

(F) nn_vietnamese.wnry (8419b) Related_To (F) tasksche.exe (86721) 

Description 

This artifact is an RTF formatted ransom note containing payment instructions, written in Vietnamese. 


W]n32/Filecoder.WannaCryptor.D 
TROJ_RANSOM NOTE. RTF 
TROJ^RANSOM NOTE. RTF 
Ransom:Win32WannaCrypt.A!rsm 
Win32.Trojan. Filecoder Dxm n 
Trojan. Win32. Filecoder 
Sc ri pt. Trojan. Ag e nt. 54KIM R 
Wi n 32/Filecoder. Wan naCryptor. D 
TROJ_RANSOM NOTE. RTF 
TROJ_RANSOM NOTE. RTF 
Ransom:Win32A/VannaCrypt.A!rsm 
Win32.Trojan. Filecoder, Dxm n 
Trojan. Win32. Filecoder 
Script.Trojan, Agent,54KI MR 


r.wnry 


Details 

Name 

Size 

Type 

MD5 

SHA1 

ssdeep 

Entropy 


r,wnry 

864 

ASCII text, with CRLF line terminators 

3e0020fc529b1 c2a061016dd2469ba96 

c3a91 C22b63f6fe709e7c29cafb29a2ee83e6ade 

24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:D2D36W5/vWmMo+m 

4.53351847801 


Antivirus 

ESET-NOD32 
TrendMicro-HouseCa11 
TrendMicro 
Aegis Lab 
Microsoft 
Tencent 
Ikarus 
GData 
Qihoo-360 
ESET-NOD32 
Trend M i cro-Hou seCa 11 
TrendMicro 
Aegis Lab 
Microsoft 
Tencent 
Ikarus 


Wi n 32/Filecoder. Wan naCryptor. D 
TROJ_RANSOMNOTE.AUSCQT 
TROJ_RANSOMNOTE.AUSCQT 
Troj .Ransom note. Auscqt! c 
Ransom:Win32/WannaCrypt.A!rsm 
W i n 32 .Trojan. Fi lecod e r. Lkds 
Trojan. Win32. Filecoder 
Script.Trojan, Agent, 98XDFC 
Trojan.Generic 

Wi n 32/Filecoder. Wan naCryptor. D 
TROJ_RANSOMNOTE.AUSCQT 
TROJ_RANSOMNOTE.AUSCQT 
Troj .Ransom note. Auscqt! c 
Ransom; W i n 3 2/Wan n aC ry pt .A! r$ m 
Wi n 32. Trojan. Fi lecod e r. Lkds 
Trojan. Win32. Filecoder 
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TLP:WHITE 


GData Script.Trojan. Agent 98XDFC 
Qihoo-360 Trojan.Generic 

Relationships 

(F) rwnry (3e002) Related_To 

(F) rwnry (3e002) RelatedLTo 

Description 

This is a data file that explains what has happened and how to pay the ransom 


(F) tasksche.exe (86721) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f} 


s.wnry 

Details 

Name 

Size 

Type 

MD5 

SHA1 

ssdeep 

Entropy 


s.wnry 

22667 

Zip archive data, at least v1.0 to extract 
025ac29fc5b5257ca0a031 de71 f201 bf 
55edb34545871 def9a4b6599484ad781 fa583407 

384: Rpy Ph U n 0 id Ca 1 fe M+Oy ua4n M m K4 kO W2 J p FI L FI BOQ n bNOM LI k :7y a J n Fe 9 u aq7 W2 Jd BOQp 0 M5k 
7.98860680988 


Antivirus 

No matches found. 

Reiationships 
(F) s.wnry (025ac) 

(F) s.wnry (025ac) 


Related_To 

Related_To 


(F) tasksche.exe (86721) 

(F) 4da1f312a214c07143abeeafb695d904 
(4da1f) 


Description 

TOR library that is imported by "u.wnry" 


taskdl.exe 

Detaiis 

Name 

Size 

Type 

MD5 

3HA1 

ssdeep 

Entropy 

Antivirus 


taskdl.exe 

20480 

PE32 executable (GUI) Intel 80386, for MS Windows 

4fef5e34143e646dbf9907c4374276f5 

47a9ad4125b6bd7c55e4e7da251 e23f089407b8f 

96: UdocvSeOel wWtaLYjJ NOy DGg l2u9+w5eOIMviSOj Ptboy n 1 SEWBwwWwT :6oL0edtJN7qvAZM6S0jP1 oynkWBwwWg 
3.16648454088 


M i cro Wo rid -eSca n 

Trojan .Gene ricK D.5057554 

n Protect 

Ra n so m W32. Wa n naC ry.20480 

CAT-QuickHeal 

Troj an R a nso m. Ag ent 

McAfee 

Ransom-O 

Malwarebytes 

Ransom. WanaC ry ptO r 

VIPRE 

Trojan. Win32.GenericIBT 

K7GW 

Trojan ( 0001140e1 ) 

K7AntiVirus 

Trojan (0001140e1 ) 

TrendMicro 

Ransom_WCRY.I 

F-Prot 

W32A/VannaCrypt.C 

Symantec 

Ransom,Wannacry 
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ESET-NOD32 

Wi n32/Filecoder. WannaCry ptor. D 

T rend M i cro-Hou seCa 11 

Paloalto 

Kaspersky 

BitDefender 

Ransom_WCRYJ 
generic.ml 

Trojan-Ransom.Win32.Agent.aapw 
Trojan.GenericKD .5057554 

NANO-Anti virus 

Vi Robot 

Trojan .Win32. Age nt. eo p wd w 

Trojan. Wi n 32. S. Wan n aC ry.20480[ h ] 

Avast 

Win32:WannaCry-B [Trj] 

Ad-Aware 

Trojan.GenehcKD.5057554 

Sophos 

Oomodo 

Troj/Wanna-C 

UnclassifiedMalware 

F-Secure 

Trojan.GenehcKD.5057554 

DrWeb 

M c Afee-G W- Ed i ti on 

Emsisoft 

Cyren 

Jiangmin 

Webroot 

Trojan.Encoder.11432 

Ransom-0 

Trojan .Gene ricK D.5057554 (B) 
W32/Trojan.NFAB-4202 

Trojan. WanaCry.j 

W32. Ransom. Wanacryptor 

Avira 

TRyFileCoder.724611 

Fortinet 

W32/AgentAAPW!tr 

Antiy-AVL 

Arcabit 

TrojanA/Vin32.TGeneric 

Trojan.Generic.D4D2C12 

AegisLab 

ZoneAlarm 

TroJ. Ransom, W32.Agent3c 

Trojan-Ransom.Win32.Agent.aapw 

Microsoft 

AhnLab-V3 

ALYac 

AVware 

Tencent 

Ikarus 

Ransom:Win32AA(annaCrypt 
TrojanAA/in32.HDC.C61115 

Trojan .Ransom. Wan naC ry pto r 
Trojan. Win32.GenericiBT 
Win32.Trojan.Ransomlocker.Nmmb 
Trojan. Win32. Fiiecoder 

GData 

Trojan.GenehcKD .5057554 

AVG 

FileCryptor.OYG 

Panda 

Trj/RansomCrypt.i 

Qihoo-360 

Trojan.Generic 

M i cro Wo rid -eSca n 

Trojan.GenehcKD.5057554 

n Protect 

RansomAA/32.WannaCry.20480 

CAT-QuickHeal 

Trojan R anso m. Ag ent 

McAfee 

Ransom-0 

Malwarebytes 

VIPRE 

Ra n so m. Wa naC ry ptO r 

Trojan. Win32.GenehclBT 

K7GW 

K7 Anti Virus 

Trojan (0001140e1 ) 

Trojan ( 0001140e1 ) 

TrendMicro 

Ransom_WCRY.I 

F-Prot 

W32 Wan n aC ry pt. C 

Symantec 

ESET-NOD32 

Ransom.Wannacry 

Wi n32/Filecoder. WannaCry ptor. D 

T rend M i c ro-Hou seCa 11 

Ransom_WCRY.i 

Paloalto 

generic.ml 

Kaspersky 

BitDefender 

NANO-Anti virus 

Trojan-Ransom .Win32 .Agent.aapw 

Trojan.GenehcKD.5057554 

Trojan. Wi n 32. Age nt. eo p wd w 
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TLP:WHITE 


Vi Robot 

Trojan.Win32.S.WannaCry.20480[h] 

Avast 

Win32:WannaCry-B [Trj] 

Ad-Aware 

Trojan.GenericKD .5057554 

Sophos 

Troj/Wanna-C 

Comedo 

Unci ass if ied M al ware 

F-Secure 

Trojan.GenericKD .5057554 

DrWeb 

Trojan. Encoder. 11432 

McAfee-GW-Edition 

Ransom-O 

Emsisoft 

Trojan.GenericKD.5057554 (B) 

Cyren 

W32mojan.NFAB-4202 

Jiangmin 

Trojan.WanaCryJ 

Webroot 

W32,Ransom.Wanacryptor 

Avira 

TR/FileCoder.724611 

Fortinet 

W32/AgentAAPW!tr 

Antiy-AVL 

Trojan AA/i n 3 2. TGen e ri c 

Arcabit 

Trojan.Generic.D4D2C12 

Aegis Lab 

Troj. Ransom. W32. Agent Jc 

ZoneAlarm 

Trojan* R a n s o m. Wi n32 .Agent, aapw 

Microsoft 

Ransom: Wi n 3 2 A/Van n aC ry pt 

AhnLab-Va 

TrojanAAfin32.HDC.C61115 

ALYac 

Trojan. Ransom, WannaCryptor 

AVware 

Trojan.Win32.Generic!BT 

Tencent 

Win32.Trojan.Ransomlocker.Nmmb 

Ikarus 

Trojan. Win32. Filecoder 

GData 

Trojan.GenericKD.5057554 

AVG 

FileCryptorOYG 

Panda 

Trj/RansomCrypt.l 

Qihoo-360 

Trojan.Generic 


PE information 

Compiled 2009-07 14T00:12:07Z 
PE Sections 


Name 

MD5 

Raw Size 

Entropy 

(header) 

517be07S3885b48f9e129f76f2906642 

4096 

0,647544716167 

.text 

c9aa64f e8d9efc3e7be627442c0172f0 

4096 

4.92282748815 

,rdata 

e98eaa7Sf8b3d90a99454c5d64db86ba 

4096 

2.66441166404 

.data 

d71c25cb529fed9abe0ee5d3d6264cd5 

4096 

0.105612474489 

.rsrc 

aSfbafbl8686e9366dc75c2e1920c441 

4096 

3.71611137019 

Packers 




Name 

Version Entry Point 




Microsoft Visual C++ v6.0 NA NA 

Relationships 

(F) taskdl.exe (4fef5) Related_To (F) tasksche.exe (86721) 

Description 

This artifact is a PE32 executable designed to search for the string "\$RECYCLE\*.WNCRYT'' on all installed drives on the system, 

taskse.exe 

Details 

Name taskse,exe 
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TLP:WHITE 


Size 


20480 


Type 

MD5 

SHA1 


PE32 executable (GUI) Intel 80386, for MS Windows 
8495400f199ac77853c53b5a3f278f3e 
be5d6279874da315e3080b06083757aad9b32c23 


ssdeep 96:UjpvOHheaCDCNIOgTegoddPtboyX7cvpOEWy1 HIWwr:UjVWEam7ofP1oyX7olWUHIW0 
Entropy 2.52625096181 


Antivirus 


MI cro Wo rid -eSca n 

Trojan. G e n e ricK D.5057859 

n Protect 

Ransom/W32.Zapchast.20480.B 

OAT^QuickHeal 

Trojan ranso m. Za pchast 

McAfee 

Ransom-0 

Malwarebytes 

Ransom. WanaC ry ptO r 

K7GW 

Trojan {0001140e1 ) 

K7AntiVirus 

Trojan {0001140e1 ) 

TrendMicro 

Ransom_WCRY.I 

F-Prot 

W32A/VannaCrypt.B 

Symantec 

Ransom.Wannacry 

ESET-NOD32 

W]n32/Filecoder.WannaCryptor.D 

T rend M i cro-Hou seCa 1 i 

Ransom_WCRY.I 

Paloalto 

generic.ml 

GOata 

Trojan.GenericKD .5057859 

Kaspersky 

Trojan- R a n so m. Wi n32 .Zapc h ast. i 

BitDefender 

Trojan.GenericKD.5057859 

NANO-Ant I virus 

Trojan. Wi n 32. Za pchast. eo pvwc 

ViRobot 

Trojan.Win32.S.WannaCry.20480,A[h] 

Aegis Lab 

Troj. Ransom. W32IC 

Sophos 

Troj/Wanna-C 

Comodo 

Unci ass if ied M al ware 

F‘Secure 

Trojan.GenericKD.5057859 

DrWeb 

Trojan.Encoder.11432 

VIPRE 

Trojan. Win32.GenericIBT 

M c Afee-G W- Ed i ti on 

Ransom-0 

Emsisoft 

Trojan.GenericKD.5057859 (B) 

Cyren 

W32/Trojan.FXSJ-2552 

Jiangmln 

Trojan. Zapchast. 00 

Webroot 

W3 2. Ran so m. Wa n ac ry pto r 

Avira 

TR/FileCoder.724649 

Antiy-AVL 

Trojan A/Vi n 3 2. TGen e rl c 

Arcabit 

Trojan.Generic.D4D2D43 

ZoneAlarm 

Trojan-Ransom .Win32 .Zapchast.i 

Microsoft 

Ransom: Wi n 3 2 A/Van n aC ry pt 

AVG 

FileCryptorOYH 

AhnLab-V3 

TrojanA/Vin32.WannaCryptor.C 1951306 

ALYac 

Trojan .Ransom. Wan naC ry pto r 

AVware 

Trojan. Win32.GenericIBT 

Ad-Aware 

Trojan .Gene ricK D.5057859 

Panda 

Trj/R an so m C ry pt. C 

Tencent 

Wi n32.Trojan. Ransomlocker.Ozmy 

Ikarus 

Trojan. Win32. Filecoder 

Fortinet 

W32/Zapchast.Dltr 
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TLP:WHITE 


Avast 

Win32:WannaCry-A [Trj] 

Qihoo-360 

Trojan.Generic 

M i cro Wo rid -eSca n 

Trojan .Gene ricK D.5057859 

nProtect 

RansomAA/32.Zapchast.20480.B 

CAT-QuickHeal 

Trojan ranso m. Za pchast 

McAfee 

Ransom-0 

Malwarebytes 

Ransom. WanaC ry ptO r 

K7GW 

Trojan {0001140e1 ) 

K7 Antivirus 

Trojan {0001140e1 ) 

TrendMicro 

Ransom_WCRY.i 

F-Prot 

W32WannaCrypt.B 

Symantec 

Ransom.Wannacry 

ESET-NOD32 

W]n32/Filecoder.WannaCryptor.D 

T rend M i cro-Hou seCa 11 

Ransom_WCRY.I 

Paloalto 

generic.mi 

GOata 

Trojan.GenericKD .5057859 

Kaspersky 

Trojan-Ransom.Win32 .Zapchast.i 

BitDefender 

Trojan.GenericKD .5057859 

NANO-Anti virus 

Trojan. Wi n 32. Za pchast. eo p vwc 

Vi Robot 

Trojan.Win32.S,WannaCry.204a0,A[h] 

AegisLab 

Troj. Ransom. W323C 

Sophos 

Troj/Wanna-C 

Oomodo 

UnclassifiedMalware 

F“Secure 

Trojan.GenericKD.5057859 

DrWeb 

Trojan.Encoder.11432 

VIPRE 

Trojan.Win32.GenericIBT 

M c Afee-G W- Edition 

Ransom-0 

Emsisoft 

Trojan.GenericKD.5057859 (B) 

Cyren 

W32/Trojan.FXSJ-2552 

Jiangmin 

Trojan. Zapchast. eo 

Webroot 

W32.Ransom.Wanacryptor 

Avira 

TR/FileCoder.724649 

Antiy-AVL 

Trojan A/Vi n 3 2. T Gen e ri c 

Arcabit 

Trojan.Generic.D4D2D43 

ZoneAlarm 

Trojan-Ransom .Win32 .Zapchast.i 

Microsoft 

Ransom: Wi n 3 2 AA^an n aC ry pt 

AVG 

FileCryptor.OYH 

AhnLab-V3 

TrojanA/Vin32.WannaCryptor.C1951306 

ALYac 

Trojan .Ransom. Wan naC ry pto r 

AVware 

Trojan. Win32.GenericIBT 

Ad-Aware 

Trojan .Gene ricK D.5057859 

Panda 

Trj/R an so m C ry pt. C 

Tencent 

Win32.Trojan. Ransomiocker.Ozmy 

Ikarus 

Trojan. Wi n 32. Fi iecode r 

Fortinet 

W32/Zapchast.D]tr 

Avast 

Win32:WannaCry-A [Trj] 

Qihoo-360 

Trojan.Generic 


PE information 

Compiled 2009-07-13T23:16:28Z 
PE Sections 
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TLP:WHITE 


Name 

MD5 

Raw Size 

Entropy 

(header) 

bf20072e3afa57f58ac8c40e0f9d162b 

4096 

0.627317954157 

.text 

27ba7eebe222f 1 f600c05d356fdd3f20 

4096 

3.29976908335 

.rdata 

95ab42776493299c34c1e0c609c3d165 

4096 

1.05105359822 

.data 

5a849268f8bc1 bf35214e328323b8793 

4096 

0.79975850341 

.rsrc 

f7bd6aed27ba347f17f0fa5893d895d6 

4096 

3.72171470037 

Packers 




Name 

Version Entry Point 




Microsoft Visual C++ v6.0 NA NA 
Relationships 

(F) taskse.exe (84954) Related_To (F) tasksche.exe (86721) 

Description 

This artifact is a PE32 executable designed to support Remote Desktop Services. 


u.wnry 


Details 


Name u.wnry 
Size 245760 


Type 

MD5 

SHA1 


PE32 executable (GUI) Intel 80386, for MS Windows 
7bf2b57f2a205768756o07f238fb32cc 
45356a9dd616ed7161 a3b9192e2f318d0ab5ad10 


ssdeep 3072:Rmrhd5U1eigWcR+uiUg6p4FLIG4tlL8z+mmCeHFZjoHEo3m:REd5+IZiZhLliG4AimmCo 
Entropy 6.27892040839 


Antivirus 


M i cro Wo rid -eSca n 

Trojan.GenericKD .5057856 

n Protect 

RansomAA/32.Wanna.245760 

CAT-QuickHeal 

TrojanRansom .Wanna 

McAfee 

Ransom-O 

Malware bytes 

Ransom, WanaC ry ptO r 

VIPRE 

Trojan.Win32.Genenc!BT 

OrowdStrike 

mal ic io us_co n f idence_60% (D) 

K7GW 

Trojan (0001140e1 ) 

K7Anti Virus 

Trojan (0001140e1 ) 

Cyren 

W32/Trojan.FSSE-8992 

Symantec 

Ransom.Wannacry 

ESET-NOD32 

Wi n32/Filecoder. WannaCry ptor. D 

Trend M i cro-Hou seCa 11 

RANSOM_WCRY.I 

Avast 

Win32:WanaCry-A [Trj] 

ClamAV 

Win.Trojan.Agent-6312824-0 

Kaspersky 

Trojan-Ransom.Win32.Wanna.c 

BitDefender 

Trojan.GenericKD.5057856 

NANO-Aoti virus 

Trojan .Win32. Wan n a. eott wl 

Paloalto 

generic.ml 

Vi Robot 

Trojan. Win32.S.WannaCry.245760[h] 

Tencent 

Win32.Trojan.Ransomlocker.Mvmh 

Ad-Aware 

Trojan .GenericKD.5057856 

Emsisoft 

Trojan.GenericKD.5057856 (B) 

Comedo 

Troj Ware. Wi n 32. Ra n som. Wan n aC ry pto r. 

F-Secure 

Trojan.GenericKD .5057856 
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DrWeb 

Trojan. Encoderl 1432 

TrendMicro 

M c Afee-G W- Ed i ti on 

F-Prot 

Jiangmin 

Webroot 

RANSOM_WCRY.I 

Ransom-0 

W32AA/annaCrypt.A 

Trojan. WanaCry. a 

W3 2. Ran so m. Wa n nacry 

Avira 

TR/FileCoder.724645 

Fortinet 

W32/GenKryptik.1C25!tr 

Antiy-AVL 

Arcabit 

TrojanA/Vin32.Deshacop 

Trojan.Generic.D4D2D40 

AegisLab 

ZoneAlarm 

Uds.Dangerousobject.Multiic 

Trojan-Ransom,Win32,Wanna.c 

Microsoft 

Sophos 

AhnLab>V3 

ALYac 

AVware 

Ransom:Win32AA^annaCrypt 

Troj/Wanna-D 

TrojanAA/in32.WannaCryptor.R2005S9 
Trojan. Ransom. WannaCryptor 

Trojan.Win32.GenericIBT 

Rising 

Ikarus 

Mai ware. G e n eric. 5 !tf e (ci o u d :7Sfz Bq30 i M V) 
Trojan. Win32. Fiiecoder 

GData 

Win32.Trojan-Ransom.WannaCry.E 

AVG 

Generic_r.SSZ 

Panda 

Trj/RansomCrypt.K 

Qihoo-360 

Win32/Trojan. Multi .daf 

MicroWorld-eScan 

Trojan.GenericKD.5057856 

nProtect 

CAT-QuickHeal 

Ransom/W32.Wanna.245760 

TrojanRansom .Wanna 

McAfee 

Ransom-0 

Malwarebytes 

VIPRE 

Ra n so m. Wa naC ry ptO r 

Trojan. Win32.GenericIBT 

Crowd Strike 

maiiGicus_confidence_60% (D) 

K7GW 

Trojan { 0001140e1 ) 

K7 Anti Virus 

Trojan { 0001140e1 ) 

Cyren 

Symantec 

ESET-NOD32 

W32mojan.FSSE-8992 

Ransom.Wannacry 

Wi n32/Filecoder. WannaCryptor. D 

Trend M i c ro-Hou seCa 11 

RANSOM^WCRY.I 

Avast 

Win32:WanaCry-A [Trj] 

OlamAV 

WlnTroian.Agent-6312824-0 

Kaspersky 

BitDefender 

Trojan-Ransom. Win32. Wanna.c 

Trojan .Gene ricK D.5057856 

NANO-Anti virus 

Trojan. Win32. Wan na.eottwl 

Paloalto 

generic.ml 

Vi Robot 

Trojan. Win32.S.WannaCry.246760[h] 

Tencent 

Win32.Trojan. Ransomiocker.Mvmh 

Ad-Aware 

Trojan.GenericKD.5057856 

Emsisoft 

Trojan.GenericKD.5057856 (B) 

Comodo 

Troj Ware. W i n 32. Ra n som. Wan n aCry pto r. -- 

F-Secure 

Trojan.GenericKD.5057856 

DrWeb 

Trojan.Encoder.11432 

TrendMicro 

RANSOM^WCRYI 

M c Af ee-G W- Ed i ti on 

Ransom-0 
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F-Prot 

W32AA/annaCrypt.A 

Jiangmin 

Trojan. WanaCry. a 

Webroot 

W32. Ransom .Wannacry 

Avira 

TR/FileCoder.724645 

Fortinet 

W32/GenKryptik.1C25!tr 

Antiy-AVL 

Trojan/Wi n 32. D es h aco p 

Arcabit 

Trojan. G e n e r ic. D4 D2 D40 

AegisLab 

Uds.Dangerousobject.Multilc 

ZoneAlarm 

Trojan-Ransom.Win32,Wanna.c 

Microsoft 

Ransom:Win32A/VannaCrypt 

Sophos 

Troj/Wanna-D 

AhnLab-V3 

TrojanA/Vin32.WannaCryptor.R2005S9 

ALYac 

Trojan. Ransom, WannaCryptor 

AVware 

Trojan.Win32.GenericIBT 

Rising 

Malware .Gen eric. 5 !tf e (cloud :7Sfz Bq30 i M V) 

Ikarus 

Trojan. Win32. Filecoder 

GData 

Wi n32.Trojan-Ransom .WannaCry. E 

AVG 

Generic_r.SSZ 

Panda 

Trj/RansomCrypt. K 

Qihoo-360 

Win32/Trojan. Multi .daf 


PE information 

Compiled 2009-07-13T23:19;35Z 


PE Sections 


Name 

MD5 

Raw Size 

Entropy 

(header) 

143b3fc179777c5b2f2eOff974ebd7b7 

4096 

0.763356728671 

.text 

c9ede1054fef33720f9fa97f5e8abe49 

81920 

6.24100602272 

.rdata 

5a89aac6c8259abbba2fa2ad3fcefc6e 

40960 

5.87183534271 

.data 

05da32043b1 e3a147de634c550f1954d 

12288 

4.72665302653 

.rsrc 

8e97637474ab77441ae5add3f3325753 

106496 

5.63519234495 

Packers 




Name 

Version Entry Point 



Microsoft Visual C++ v6.0 NA NA 




Relationships 
(F) u.wnry (7bf2b) 

(F) u.wnry (7bf2b} 


Related_To 

Related_To 


(F) tasksche.exe (86721) 

(F) 4da1f312a214c07143abeeafb695d904 
(4da1f) 


Description 

This artifact is an interactive TOR client which will enable a victim to submit payment to the hackers via a secure TOR session. 


Domains 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 

URI 

• h ttp[ :]//www[. ]] uqerf sod p9 ifjap osdfj h gosu ri j f aew rwe rg wea .co m 

Ports 

• 80 

HTTP Sessions 
• GET/HTTP/1.1 
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Host: www[.]]uqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 
Cache-Co ntrol: n o -cac h e 


TLP:WHITE 


Whois 

Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA,COM 
Registrar: NAMECHEAP INC. 

Sponsoring Registrar I AN A ID: 1068 
Whois Server: whois.namecheap.com 
Referral URL: http[:]//www[.Jnamecheap.com 
Name Server: NS1 .SINKHOLETECH 
Name Server: NS2.SINKH0LETECH 
Name Server: NS3.SINKH0LETECH 
Name Server: NS4.SINKH0LETECH 

Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProhibited 
Updated Date: 12’may-2017 
Creation Date: 12-may-2017 

Domain name: iuqerfsodpQifjaposdfjhgosurijfaewrwergwea.com 

Registry Domain ID: 2123619849_DOMAIN_COM-VRSN 

Registrar WHOIS Server: whois.namecheap.com 

Registrar URL: http[:]//www[.jnamecheap.com 

Updated Date: 2017-05-12T15:08:10.002 

Creation Date: 2017-05-12T15:08:04,002 

Registrar Registration Expiration Date: 2018-05-12115:08:04.002 

Registrar: NAMECHEAP INC 

Registrar lANA ID: 1068 

Registrar Abuse Contact Email: abuse[@]namecheap.com 
Registrar Abuse Contact Phone: +1.6613102107 
Reseller: NAMECHEAP INC 

Domain Status: clientTransferProhibited hUps[:l//icann.org/epp#clientTransferProhibited 
Domain Status: addPeriod https[:]//icann.org/epp#add Period 
Registry Registrant ID: 

Registrant Name: Botnet Sinkhole 
Registrant Organization: 

Registrant Street: Botnet Sinkhole 
Registrant City: Los Angeles 
Registrant State/Province: CA 
Registrant Postal Code: 00000 
Registrant Country: US 
Registrant Phone: +0.00000000000 
Registrant Phone Ext: 

Registrant Fax: 

Registrant Fax Ext: 

Registrant Email: BotnetSinkhole[@]gmail.com 
Registry Admin ID: 

Admin Name: Botnet Sinkhole 
Admin Organization: 

Admin Street: Botnet Sinkhole 
Admin City: Los Angeles 
Admin State/Province: CA 
Admin Postal Code: 00000 
Admin Country: US 
Admin Phone: +0.00000000000 
Admin Phone Ext: 

Admin Fax: 

Admin Fax Ext: 

Admin Email: BotnetSinkhole[@]gmail.com 
Registry Tech ID: 

Tech Name: Botnet Sinkhole 
Tech Organization: 

Tech Street: Botnet Sinkhole 
Tech City: Los Angeles 
Tech State/Province: CA 
Tech Postal Cede: 00000 
Tech Country: US 
Tech Phone: +0.00000000000 
Tech Phone Ext: 

Tech Fax: 

Tech Fax Ext: 
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Tech Email: BotnetSinkhole[@]gmail.com 
Name Server: nsl .sinkhole.tech 
Name Server: ns2.sinkhole.tech 
Name Server; ns3.sinkhole.tech 
Name Server: ns4.sinkhole.tech 
DNSSEC: unsigned 

URL of the ICANN WHOIS Data Problem Reporting System: http[:]//wdprs.internic.net/ 
»> Last update of WHOIS database: 2017*05*14111:56:55.96Z «< 


Relationships 

(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 

(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 

(D) 

iuqerfsodp9ifjaposdf]hgosurijfaewrwergwea.com 

(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 

(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 


Related_To 

Related_To 

Related_To 

Characterized_By 

Connected^From 


(U) 

htt p[ :]/y ww w[. ] I uqe rfso d p9 ifjap osdfj h g osu ri jf aew rw 
ergwea.com 

(P) 80 

(H) GET/HTTP/1.1 

(W) Domain Name: lUQERFS 

(F) 5bef35496fcbdbe841c82f4d1ab8b7c2 {5bef3) 


gx7ekbenv2riucnnif.onion 

Relationships 

(D) gx7ekbenv2riucmf.onion 

Contained_Within 

(F) c.wnry (ae08f) 

57g7spgrzlojinas.onion 

Relationships 

(D) 57g7spgrzlojinas.onion 

Contained_Within 

(F) c.wnry {ae08f) 

xxlvbrloxvriy2c5.onion 

Relationships 

(D) xxlvbrloxvriy2c5.onion 

Contained_Within 

(F) c.wnry (ae08f) 

76jdd2ir2embyv47.onion 

Relationships 
(D) 76jdd2ir2embyv47.onion 

Contained__Within 

(F) c.wnry (aeOSf) 

cwwnhwhlz52maqm7.onion 

Relationships 

(D) cwwnhwhlz52maqm7.onion 

Contained_Within 

(F) c.wnry {ae08f) 

Relationship Summary 




(F) 5bef35496fcbdbe841c82f4d1ab8b7c2 (5bef3) 
(F) 5bef35496fcbdbe841c82f4d1ab8b7c2 (5bef3) 
(D) 

i u q e rf sodp 9 ifj apo sd fj hg o s u ri jf ae w rwe rg we a. co m 
(D) 

i u q e rf sodp 9 if j a po sdfj hg o s u ri jf ae w rwe rg wea. co m 
(D) 

i u q e rf sod p 9 if j apo sd fj hg o s u ri jf ae w rwe rg wea. co m 


Connected_To 

Dropped 

Related_To 

Related_To 

Related_To 


(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 
(F) tasksche.exe {86721) 

(U) 

htt p[:]//ww w[. ] i uqerfso d p9 ifjap osdfj h g osu r i jf aewrw 
ergwea.com 

(P) 80 

(H) GET / HTTP/1.1 
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(D) 

iuqerfsoclp9ifjaposdfjhgosurijfaewrwergwea.com 

Characterized„By 

(W) Domain Name: lUQERFS 

(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.conn 

Connected_From 

(F) 5bef35496fcbdbe841c82f4d1ab8b7c2 (5bef3) 

(F) tasksche.exe (86721) 

Related_To 

(S) resll.PNG 

(F) tasksche.exe (86721) 

Related_To 

(F) b.wnry (c1717) 

(F) tasksche.exe (86721) 

Related_To 

(F) c.wnry (ae08f) 

(F) tasksche.exe (86721) 

Related_To 

(F) t.wnry (5dcaa) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_bulgarian.wnry (95673) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_chinese (simplified).wnry (0252d) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_chi!nese (traditional).wnry (2efc3) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_croatian,wnry (17194) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_C 2 ech.wnry (537ef) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_danish.wnry (2c5a3) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_dutch,wnry (7a8d4) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_english.wnry {fe68c) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_filipino.wnry (08b9e) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_finnish.wnry {35c2f) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_french.wnry (4e571) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_german.wnry (3d59b) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_greek.wnry (fb4e8) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjndonesian.wnry {3788f) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjtalian.wnry (30a20) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjapanese.wnry (b77e1) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_korean.wnry (6735c) 

(F) tasksche.exe (86721) 

Related_To 

(F) mjatvian.wnry (c33af) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_norwegian.wnry (ff70c) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_pol]sh.wnry (e79d7) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_portuguese.wnry {fa948) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_romanian.wnry (313e0) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_russian.wnry (45261) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_slovak.wnry (c911a) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_spanish.wnry (8d616) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_swedish.wnry (c7a19) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_turkish.wnry (531 ba) 

(F) tasksche.exe (86721) 

Related_To 

(F) m_vietnamese,wnry (8419b) 

(F) tasksche.exe (86721) 

Related_To 

(F) r.wnry (3e002) 

(F) tasksche.exe (86721) 

Related^To 

(F) s.wnry (025ac) 

(F) tasksche.exe (86721) 

Related_To 

(F) taskdl.exe (4fef5) 

(F) tasksche.exe (86721) 

Related_To 

(F) taskse.exe (84954) 

(F) tasksche.exe (86721) 

Related_To 

(F) u.wnry {7bf2b) 

(F) tasksche.exe (86721) 

Dropped_By 

(F) 5bef35496fcbdbe841c82f4d1ab8b7c2 (5bef3) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(S) res22.PNG 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) b.wnry (cl 717) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) c.wnry (ae08f) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) t.wnry (5dcaa) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) s.wnry (025ac) 
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(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

(F) b.wnry (c1717) 

(F) b.wnry (cl 7l7} 

(F) b.wnry (cl 717) 

(S) OoopsPNG 
(S)res11PNG 

(S)res22.PNG 

(F) c.wnry (ae08f) 

(F) c.wnry (aeOSf) 

(F) c.wnry (ae08f) 

(F) c.wnry (ae08f) 

(F) c.wnry (ae08f) 

(F) c.wnry (ae08f) 

(F) c.wnry (ae08f) 

(D) gx7ekbenv2nucmf.onion 
(D) 57g7spgrzlojinas.onion 
(D) xxlvbrloxvriy2c5.onion 
(D) 76jdd2ir2embyv47.onion 
(D) cwwnhwhlz52maqm7.onion 
(F) t.wnry (5dcaa) 

(F) twnry (5dcaa) 

(F) m_bulgarian.wnry (95673) 

(F) m_chinese (simplified).wnry (0252d) 
(F) mjchinese (traditional).wnry (2efc3) 

(F) mjcroatian.wnry (17194) 

(F) mjczecb.wnry (537ef) 

(F) mjdanish.wnry (2c5a3) 

(F) mjdutch.wnry (7a8d4} 

(F) m_engli 3 h.wnry (fe68c) 

(F) m_filipino.wnry {08b9e) 

(F) m_finnish.wnry {35c2f) 

(F) m_frencb.wnry (4e571) 

(F) mjgerman.wnry (3d59b) 

(F) m_greek.wnry (fb4e8) 

(F) mjndonesian.wnry (3788f) 

(F) mjtalian.wnry (30a20) 

(F) m Japanese .wnry (b77e1) 

(F) m_korean.wnry (6735c) 

(F) mjatvian.wnry (c33af) 

(F) m_norwegian.wnry (ff70c) 

(F) m jpol i s b.wn ry (e79d 7) 

(F) mjportuguese.wnry (fa948) 

(F) m_romanian.wnry (313e0) 

(F) m_russian.wnry (45261) 

(F) m_slovak.wnry (c911a) 


Related_To 

(F) r.wnry {3e002) 

Related_To 

(F) u.wnry {7bf2b) 

Related_To 

(S) OoopsPNG 

Related_To 

(F) tasksohe.exe (86721) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) b.wnry {c1717) 

Related_To 

(F) tasksohe.exe (86721) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related_To 

(F) tasksohe.exe (86721) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Contains 

(D) gx7ekbenv2riucmf.onion 

Contains 

(D) 57g7spgrzlojinas.onion 

Contains 

(D) xxlvbrloxvriy2c5.onion 

Contains 

(D) 76jdd2ir2embyv47.onion 

Contains 

(D) cwwnhwhlz52nriaqm7.onion 

Contained_Within 

(F) c.wnry (aeOSf) 

Contained^Witbin 

(F) c.wnry (aeOSf) 

Contained_Wlthin 

(F) c.wnry (aeOSf) 

Contained_Witbin 

(F) c.wnry (aeOSf) 

Contained_Witbin 

(F) c.wnry (aeOSf) 

Related_To 

(F) tasksohe.exe (86721) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

Related^To 

(F) tasksohe.exe (86721) 

Related_To 

(F) tasksohe.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

RelatedLTo 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 

Related_To 

(F) tasksche.exe (86721) 
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(E) m_spanish.wnry (8d616) 

Related_To 

(F) tasksche.exe (86721) 

(E) m_swedish.wnry (c7a19) 

Related_To 

(F) tasksche.exe (86721) 

(E) mjurkish.wnry (531 ba) 

Related_To 

(F) tasksche.exe (86721) 

(E) m_vtetnamese.wnry (8419b) 

Related_To 

(F) tasksche.exe (86721) 

(F) r.wnry (3e002) 

Related_To 

(F) tasksche.exe (86721) 

(F) r.wnry (3e002) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

(F) s.wnry (025ac) 

Related_To 

(F) tasksche.exe (86721) 

(F) s.wnry (025ac) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
{4da1f) 

(F) taskdl.exe (4fef5) 

Related_To 

(F) tasksche.exe (86721) 

(F) taskse.exe (84954) 

Related_To 

(F) tasksche.exe (86721) 

(F) u.wnry (7bf2b) 

Related_To 

(F) tasksche.exe (86721) 

(F) u.wnry (7bf2b) 

Related_To 

(F) 4da1 f312a214c07143abeeafb695d904 
(4da1f) 

(U) 

http[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrw 

ergwea.com 

Related_To 

(D) 

1 uq e rf sod p9 ifj aposdfj hg os u ri jfae w rwe rg wea. co m 

(P) 80 

Related_To 

(D) 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 

(H) GET/HTTP/1.1 

Related_To 

(D) 

luqerfsodp9ifjaposdfjhgosLirijfaewrwergwea,com 

(W) Domain Name: lUQERFS 

Characterizes 

(D) 


Mitigation Recommendations 

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their 
organization's systems: 

• Maintain up-to-date antivirus signatures and engines. 

• Restrict users' ability (permissions) to install and run unwanted software applications. 

• Enforce a strong password policy and implement regular password changes. 

• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. 

• Keep operating system patches up-to-date. 

• Enable a personal firewall on agency workstations. 

• Disable unnecessary services on agency workstations and servers. 

• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its 'true file type" {i.e., the extension matches the 
file header). 

• Monitor users' web browsing habits; restrict access to sites with unfavorable content, 

• Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.). 

• Scan all software downloaded from the Internet prior to executing. 

• Maintain situational awareness of the latest threats; implement appropriate ACLs. 


Contact Information 


• 1-888-282-0870 

• SQC@us-cert.qov (UNCLASS) 

• us-cert@dhs.sgov.gov (SIPRNET) 

• us-cert@dhs,ic.qov (JWICS) 

US-CERT continuously strives to improve its products and services. You can help by answering a very short series of questions about this 
product at the following URL: https://forms.us eert.aov/ncsd-feedbac kl 

Document FAQ 


What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In 

most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact 
US-CERT and provide information regarding the level of desired analysts. 
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Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions reiated to this document 
shouid be directed to the US-CERT Security Operations Center at 1 -888-282-0870 or soc@us-cert.gov . 

Can I submit maiware to US-CERT? Malware sampies can be submitted via three methods. Contact us with any questions. 

• Web: https://malware,us-cert.Qov 

• E-Mail: submit@maiware.us-cert.aov 

• FTP: ftp.malware.us-Gert.gov/malware (anonymous) 

US-CERT encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software 
vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us-cert.qov . 
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